now. I mentioned something earlier that bears repeating. So, as a matter of fact, I'm gonna repeat it about eight million times. Throughout this course.
The purpose of information security in information technology and of technology is a whole and of people and their specific roles and responsibilities.
The purpose for all of us is to support the business to bring value to the business. Now, it may not be monetary value. You know, you're not gonna profit off of information security. Probably, but we can look at that value as a reduction and loss. Right?
Some values will be value. Might be
to maintain compliance, to improve customer service across customer perception but ultimately our jobs, or to deliver value to the business. And at the point in time when we no longer deliver value to the business, they were no longer NASA. Right? So this section talks about alignment
of technology and information, security
to businesses, a hole.
So if we're gonna line the i t strategy with the business strategy in relation to risk, then obviously that's going to require a lot of input from senior management. Because it's up the senior management to determine the approach or appetite for risks.
It's up the senior management to provide that alignment. Look at how certain risks affect the long term goals of the organization.
It's up to them to prioritize risk events and assets. So we're definitely going toe have tohave senior management involved here and for our I t folks, you got to get out of the basement for this one, right? Because we love our servers. We love our technology that they're really only relevant
in how they support the business
and how we lost that technology would create a loss for the business. So we gotta get out of the basement. As a matter of fact, on most of this test, you got to stay out of the basement. The Onley reason we have jobs. The only reason any of this is significant is how the business is impact.
So technology should help the business accomplish their goal. Shouldn't be there to hinder or, you know, provide resistance. So what we have to figure out is how we address risks in a manner that's consistent with the business that helps the business reach their goals.
so when we talk about that again for full of point get out of the basement.
Communicate Senior Management said that understand the vision and strategy, Understand the organization, and I think you'll see several questions or you. You certainly could see several questions about
you've just been hired as a chief risk officer or is a risk practitioner or whatever you've been hired to do.
What is the first activity you should undertake?
Meet with senior management, meet with the heads of departments, understand the organization, understand how the organization functions, then understand how they approach risk before you ever jump right in and start collecting information
like you know what assets are and so on. We wanna understand the context. Remember how all those framework started with figure out the context or framed the risk? Well, that's what we're doing by meeting with other managers and understanding what the goals and objectives of the business are.
always start with the business and honestly, you know what always finish with business. We always start with the business. It wraps around to the decisions made with the business. It's all about the business. So if you're ever in a situation where
use a risk practitioner, recommend a B and C,
the business owner says those choices are too expensive and chooses not to implement any of them. Who wins the fight between you saying protecting him, saying now it's too expensive.
The business owner always wins that fight.
Now along with it, though, they have the liability. So if they make poor decisions, we get a compromise. They're the one's liable. They're the ones who are ultimately accountable for the protection of their assets.
All right, so making sure that our risks and our approach to risks are in alignment with the organization as a whole. Of course. So we have the same risk framework in I t that the rest of the organization works with. Ideally, we have the same lexicon. We have the same processes and methodology.
We want this to be a holistic,
complete or comprehensive approach to risk management.
All right, so, risk practitioner, that's us right now.
It depends on, you know, the very rarely in the company is a job title risk practitioner. So this might be your chief risk officer or, you know, whoever specifically responsible for information security risks.
no, the business listen to the strategy because the business strategy will drive us to our risk strategy.
Seek out ways to secure our technologies and our processes,
analyze what's in place and determine if it's sufficient.
Build relationships between your business managers. You want those relationships to allow smooth communication.
Don't forget your chief financial officer. That's somebody you want to take out golfing one day because this is the person that signs the checks. And quite frequently we need funding in order to support the mechanisms that we want to put in place.
a few more things be aware off and mitigate the risk of change.
There's only so much you could do about change. But being a forward thinking and understanding how changes on the horizon can impact our current risk profile and what we need to do about that sure, absolutely
create a culture that encourages the participation of risk management into business processes. That's really what we're ultimately working towards, right, an environment in which we make risk aware decisions were no longer making decisions for things like,
Well, it ain't broke, don't fix it. We're no longer making decisions based on
good enough, no longer making decisions on the idea of, Well, we can't do this because nobody will support it or it's too hard or any of those ideas were making risk aware business decisions
and then also understanding past events. In order to understand the context of where we are today, it often helps to look backwards. So what's happened in the past? How if we've been compromised?
Uh, what are the lessons that we learned from those events? And how can we take that information, move forward better?
Another element that's gonna be required in order for me to effectively support the organization is toe have a set of clearly defined roles and responsibilities where folks we're employees, business unit leaders, end users understand their role in the organization
and making sure that we don't have any sort of
gaps and responsibility
now with particular projects or particular implementations
endeavors. Whatever you want to say, it's often helpful toe have what we refer to as a racy chart.
So racy stands for responsible, accountable consult and inform. And yeah, that's gonna come up a reasonable amount on this test, particularly the difference between responsibility and accountability.
So almost which it was called an Arky matrix because really at the top of the food chain is accountable.
I am the one you come to, the buck stops here
I am someone that has the authority and capability off addressing whatever issues come up of allocating funds of providing resource is it ultimately comes down to me.
And yet you're gonna see most of the time that accountability going to the steering committee senior management. Every now and then you'll see Goto another department. But
most of the time it's here with senior management, occasionally business owners or the department managers, but frequently senior management.
So I have the ultimate accountability for the organization as a whole.
If there is a security breach, choose ultimately accountable.
You know, we're not finding the head of production. It comes straight to senior management. So there's that accountability
now responsibility. Oh, and by the way, you should have on Lee one individual accountable.
Now, you may have multiple responsible Sze responsible. They're the ones that get the work done.
Okay, so you can see the risk practitioner here on the end. There gonna be collecting the data. They're gonna be delivering the risk report. So the doers, if you will, so accountable at the top. These air, the ultimate ones you go to in relation to a risk
responsible there the worker, the worker bees, if you will
C stands for consult. So consult before I make a decision, I'm gonna consult with you
Inform. After I made the decision, I'm gonna let you know we decided. So this isn't written in stone. This isn't a testable. You need to know that department managers get consulted on informed response. Don't worry with that.
But I would certainly understand the context in the significance and how very helpful
a racy chart is. And this is really helpful to make sure that we're organized. Like I said in such a way that we have comprehensive coverage and then ultimately that's gonna lead us to information security, risk management in such a way that we don't have conflicts of interest. And we have,
uh, checks and balances in place. So when we talk about that idea of checks and balances, we should have three lines of defense within our organization.
I always think of Line one management control, ownership. This is the front lines. These are the folks in the trenches day today. The business owners. These air the folks that air ultimately implementing the controls.
They're ultimately monitoring the seeing if the controls are meeting the requirements. So they're the ones looking at K R
eyes and KP eyes. They're making sure that the security controls are implemented. You know, people processes technology on and really they are ultimately the ones that get their hands dirty with this. Okay, so the risk practice, I'm sorry,
the risk management element really could also be called governments because the responsibility here is to make sure that we have the processes and the programs. You know that we have the elements in place that were aligned with strategic direction,
that we have the elements to ensure legal compliance.
This usually is much higher up. So where, as with management controller ownership line one, they're responsible for tracking K R eyes at level two for risk management. What were ultimately responsible here is determining what the k r I should be
and having the ultimate sign off on making sure that our tests are providing us with the information that we need so choosing a framework. So the way I think of it as the first line of defense is the business.
Second line is risk governance, and then the third line is all of it,
right. The third line of defense is internal. Audit sometimes could be external. But ultimately, internal audit is watching for the process,
making sure the framework is implemented properly, making sure that it's adequate
and, you know, ultimately providing reports. Remember, always auditors
all of it and report
an auditor never fixes a problem.
They never put the audit on hold while they get their wrench and screwdrivers out. That doesn't happen. They just document
all right, And by the way, I will mention
we will talk more about the various roles and responsibilities with risk management in just a little bit.