CRISC

Course
Time
6 hours 30 minutes
Difficulty
Advanced
CEU/CPE
7

Video Transcription

00:01
now examining the components of an information security framework. We've got your operational elements, these air, the types of things we do day today.
00:11
Ah, that would include redundancy and assessment. Lots of other ideas.
00:16
Management components that hands on,
00:19
um, from functional managers and then support from senior management,
00:25
administrative components, your policies and procedures and then educational components. Train your people.
00:32
Okay, so from operational components, like we said, you know this These are the day to day things, So identity and access management's really becoming huge, and we'll cover that more depth in just a little bit. But the idea of creating an account
00:50
managing that account, assigning rights and prevent privileges ensuring you've got single sign on capabilities in your network but now also integrated with cloud service providers becomes an even taller order.
01:03
Ah, security and event monitoring and analysis being ableto aggregate information from across your network, making sure we've got patches, but also not just patches, but that we have a patch management strategy and other changes go through change management processes and then configuration management
01:21
talked about the importance of metrics maintaining our security controls, which means change management if things need to change, but also going back and re evaluating on a regular basis are my controls. Working
01:34
incident, response, disposal of data. You know, redundancy isn't even on this list, but redundancies of pieces well, and we could really we've spent all day listening out operational components
01:47
now for the management components. That's the tie in between the business and information security, that senior management
01:55
getting it, understanding its supporting it,
01:59
um providing resource is and
02:02
making sure that the right
02:06
value is being delivered for the stakeholders by monitoring with the functional managers air doing Are they accomplishing what they've set to do?
02:15
Our rules clearly defined because roles often are not clearly defined within an organization. And we've talked about the necessity. It's separation of duties. I look at the rolls in the racing matrix in just a minute.
02:27
Ongoing communication with the business units. Feedback. Is it working? Did we make a good choice? And then what can we do about it?
02:36
This is a racy matrix and racy stands for responsible, accountable consult and informed.
02:43
So when we talk about responsible, these were the ones that have been assigned the task. You're responsible for accomplishing this task accountable is actually a layer up. Almost wish it was called an Arky matrix just so we could keep it. You know, more together on Lee won accountable
03:00
per task because they're the ones
03:04
that have the ultimate accountability for that activity. That action, that task to get accomplished. So maybe the VP of sales is ultimately accountable. And they have business making. They have decision making power that the capabilities where sales managers and sales people are going to be responsible.
03:23
All right, Consulted before I make a decision, I consult.
03:29
After I made the decision, I inform what the decision Waas. So that's how the elements of a racy matrix, I think that's that's important in management. So I would know this.
03:38
All right, administrated components. Okay, so we had operational. We had managerial. Now we have administrative components. These are,
03:50
you know, the elements that make the organization work. These are our processes and procedures. How we bring employees on how we terminate how we train. Not just training, but how we train. This encompasses third party governance, um, operational
04:09
desires versus security versus overhead.
04:13
Um, figuring out total cost of ownership in roo and I know I'm jumping around a little bit on the slide, but kind of what's coming to my mind. You know, when we talk about implementing security controls and we talk about speaking the business financial, that first bullet point man, that's the business right budget.
04:30
Make sure you can support your total cost of ownership as bringing value and a high return on investment to the organization.
04:39
And then last but not least, certainly the importance of education and more. More organizations are understanding this, which is why you're seeing such a push for certification. I'm not saying certification means you have everything, but I am saying it's hard to go through a certification program without learning right.
04:59
So educational components
05:01
and many organizations kind of have an educational structure for their employees. They take steps to make sure that awareness is elevated, and then employees know the right thing to do so. Educational components very important part of our security program

Up Next

CRISC

This course on Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor