Desired State

Video Activity

In this lesson you will learn about the desired state: what is the vision for all relevant conditions at a particular point in the future? What principles, policies, and standards are needed to get us there? Which well-known frameworks can help us achieve our goals? Basically; where we are, where we're going, and where we want to be. You will also ...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
32 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Description

In this lesson you will learn about the desired state: what is the vision for all relevant conditions at a particular point in the future? What principles, policies, and standards are needed to get us there? Which well-known frameworks can help us achieve our goals? Basically; where we are, where we're going, and where we want to be. You will also cover an overview of COBIT® 5. The major drivers for COBIT® 5 are to help us: Provide more stakeholders a means in determining what they expect from IT balancing benefits/risks/costs - Prioritize stakeholder needs - Address an organization's success on third party entities - Deal with ever increasing amounts of data. What is relevant and/or credible? How do we maximize the information we have? - Understanding and utilizing the pervasiveness of Information technology and related resources - Facilitate the integration of IT and business functions - Provide for innovation and emerging technologies - Cover the full end-to-end IT and business functional responsibilities and allow for more effective governance and maintenance - Deliver more value and increase satisfaction with IT service Connect and align with other major frameworks

Video Transcription
00:04
all right now, just a little bit ago, I mentioned the idea of the desire states specifically versus current state state. And we usually talk about the term gap analysis, which means here's where we are. Here is where we want to be. What do we think about as far as how we can close the gap.
00:21
So when we talk about the current state, we only know that by doing assessments and documenting that information
00:27
now where do we want to be? What is the desired state? So, ultimately, what's our vision? Where do we want to be? We've got to think about all the conditions and how we're going to satisfy our ultimate goals. How do we get there?
00:42
Principles, policies, procedure, standards, guidelines, training of our individuals,
00:48
working towards making changes to those policies in addressing the areas where we fall short, Perhaps we might need to examine the foundational structure that led us to the wrong place in the first place. What I mean by that is, if we're not compliant or if we're not at the desired state,
01:07
um,
01:08
somewhere along the line with Miss the more So one of the things that is frequently helpful is to go back and look at frameworks of organizations that have been successful and figure out how we can tailor those frameworks to our organization. So when we do talk about
01:26
security policies and looking at some well known security frameworks,
01:32
Ah, you're a handful that are very useful from the Security Forum. There's internationals Organization of Standards with 27,001 and two I. Sacha once again has co bit and co so and their numerous frameworks that air out here, I'm gonna mention just a couple of them
01:51
and again
01:53
these air frameworks these air not written in stone these air not detailed step by step methodologies there the principles and the foundation on which to build a security program. So if you look at Kobe were on Co bit five right now,
02:07
the idea about Kobe it is that you start out with your organizational goals,
02:13
where do we want to be as an organization? And we mapped those along the hierarchy all the way to the point where we get to our information technology goals and we want to, and that that's the perfect solution, because again there's I t technology goals. Have to support the organizational goals.
02:32
So we do that mapping.
02:35
And again we're looking at benefits versus risks that cost benefit analysis. We're looking to secure the organization as a whole, not just I t. But taking these broad organizational enterprise goals
02:50
and achieving them each step of the way. So with Kobe that they have five principles with Kobe
02:54
and we start off meeting stakeholders needs because that's ultimately with the business is about satisfying our shareholders or stakeholders, making sure that our customers air happy. So we have to start by looking at those needs in a very broad sense. Um, then
03:13
the idea of covering the enterprise
03:15
into end, making sure that all the elements of our inter enterprise are in line with satisfying those objectives, meeting those needs of the stakeholders, this idea about applying a single integrated framework. This is a real benefit because
03:31
many times we have very disjointed operations between departments,
03:37
and one department might be following one Standard Department B might be following another standard. Kobe. It is a framework that applies to the organization as a whole. It's not just an I t framework,
03:50
um, and the idea of a holistic approach is tied in. We're looking at the organization as a whole rather than lots of little bits were viewing the enterprise as a complete
04:00
entity in and of itself. And then the final principle is separating governance from management. We've talked about that. The idea that governance is concerned with setting the direction of the organization
04:12
very broad, very high level directives where his management figures out how to accomplish those directives. So if you think of governance as what we're trying to do and management deals with how we get there and making sure neither oversteps their bounds. So those are the principles of Kobe, Kobe at five
04:31
and then just some additional information on it,
04:34
you know, again helping us figure out stakeholders needs Making sure that we're using a resource is effectively making sure I t is integrated into business functions. And not just I t. But information security as well,
04:48
making sure that it is cohesive and compatible with other frameworks that are out there like frameworks from the Project management body of knowledge
04:58
framework from ite ill or ice or any of those organizations. So we actually do have a course here. It's I bury on co bit that you might find helpful
05:09
aren't now I Till I tells very popular information technology, infrastructure library. And this really is the standard for service management, information technology service management. And there are five publications from I till that walk through strategy design
05:28
transition operation and then that phrase that we always think about continual improvement.
05:33
We can always get better. But how?
05:38
Okay, um,
05:40
if you're taking a test for the certified says O or you're taking the schism exam or any of those others this these frameworks are not particularly testable. But man, from a knowledge standpoint in information technology high would't least be knowledgeable for each of thes frameworks
05:58
through at least the introductory level
06:00
or the foundational level with eye, too.
06:02
All right, opted. This is a risk assessment mechanism and what this does operationally critical threat asset vulnerability, evaluation. Those were really the elements that make up a risk so self directed because we feel like those internal to the organization probably have
06:20
best feel for the threats and the vulnerabilities that exist,
06:25
so they're set of tools and processes that go through identifying assets and the threats and vulnerabilities and then developing a strategy for mitigating so active all about risk management.
06:39
Now the ice 0 27,000 Siri's International organization of standards in their 27,000 Siri's. They have several documents that are particularly helpful. Tow us. Ah, the establishment, establishment, implementation control an improvement
06:58
oven information security management system
07:01
so ultimately should spend the life span off the ice M s. How do we implement how we monitor control? How do we improve it? And the idea is that your information security management system should follow the plan. Do check Act model meaning we're never complete.
07:20
We plan for security, we implement security, we check to see if it worked and then we act upon our findings.
07:27
So the idea that you're constantly involved in security management now, I said 27,000 to these were the best practices. So this is the practical how how are we going to implement these security controls? And it indicates 10 separate domains that we have to be concerned with
07:46
with information security management systems,
07:48
um, access control, business continuity, risk management, some of those other key elements that are part of security.
07:58
I 27,004 gets us some measurements that we consider implementing To make sure that we can evaluate our program. 27,005 looks at risk management, and then 27 7 99 looks at the strategies for protecting personal health information. So the ice or 27,000 Siri's
08:18
very, very useful as a framework that's been proven to be successful over and over again.
08:24
And here's just a little illustration of the plan Do Check Act model. This is sometimes referred to his Demings model cause W. Deming is really credited with popularizing this model. It was actually created by a gentleman named sure prior, but diming popularized this
08:43
and specifically he actually talked about this model in relation to
08:46
quality assurance. But if you've ever done any sort of project management, you know how your focus is on quality.
08:54
Well, in our environment, quality is security, right? You know, that's what we're trying to deliver a quality product, a secure product. So the plan do check act model works perfectly well here Now, another way, another framework or or, um,
09:11
additional guidance. Maybe on how we get to the desired state
09:16
is we look at the maturity of our processes. Many different entities have maturity models. The one that I'm showing is the capability maturity model integrated. And that comes to us from the Software Engineering Institute from Carnegie Mellon. And ultimately,
09:33
the philosophy is the more mature your project management,
09:37
the more mature you're process, the better your product will be. Now I'm paraphrasing a little bit, but that's the idea. So it focuses on maturing. Your project's over your processes. Rather, so they're five stages of evaluation, aura of maturity, starting at the very Louis, which is initial or initializing.
09:56
And that means that we're just getting started.
09:58
And in the reality we're not really managing projects were just producing stuff, you know, phrases like chaotic or requires heroic effort to be successful. So as you can guess, nobody's really striving for a Level one. But then we have repeatable. Then we go to defined,
10:18
measurable and then optimized,
10:20
and each one of these elements improves on the one before to the point where we get to optimize where the focus there is on continual process improvement, make the product or the process a little more efficient, a little higher quality
Up Next
Developing a Security Strategy

How do I develop a security strategy? In order to develop an effective security strategy, one must take a proactive response to security threats.

Instructed By