all right, So in looking at the C I A Triad, how does that fit in with information, security? Governance? Well, that's where the ultimate responsibility of senior management comes in. So when we do talk about information, security, governance, it's all the total responsibilities,
the practices that policies
that air set out by the board and senior management, for which they will ultimately be held accountable
for the C I. A. The confidentiality, integrity and availability. And I know that we talked about access control in the I Triple A, and we'll talk more about that later, and that's an important idea. But really, when we talk about the fundamentals of security, it's the C I. A. Try it. Confidentiality,
integrity and availability
governments needs to specify are broad goals as well as our objectives that will help us meet those goals. We already, you know, again talk about the smart goals so you'll see they should be specific. We should have metrics so that we can measure whether or not we're being successful.
Um, one of the things that we'll talk about in the very next chapter is risk management.
Everything that we do is gonna be based on risk and risk is gonna help us understand what the potential for losses so that we can balance that up with the cost of a countermeasure and make good, responsible decisions based on security, governance
and again because we're looking at a cost benefit analysis that's gonna make sure that we use our resource is appropriately as well. Now this last bullet point is so very important. We have tohave an in depth understanding of the value of an organization's information.
How much is it worth? And let me tell you, the value of that information comes from so many different areas. For instance, do we have a legal responsibility to protect that information?
So is it P I? I personally identifiable information? Is that health information? Is it financial information?
Is it information that's critical to the success of our organization with compromise? If this information put human lives at stake
is their intellectual property? Does that property have value to my customers? So the value of information comes from a lot of different directions,
and sometimes that's very hard to quantitatively identify right to give a numeric value for so we do have to have a good understanding of the value of what we're protecting because ultimately,
uh, we're not gonna spend more money
than what we're protecting is worth. But we certainly want to make sure that we spend enough money toe adequately, adequately secure our information
Now from there just going back and re emphasizing because it's so important for chief information security officer to really understand why we need that executive level roll dealing with security. So if we look at this first sentence, governing security means viewing
adequate security as non negotiable.
It's a requirement of being in business and, you know, as an information security professional, that's just a given to me. If you don't protect your information, you're gonna be out of business. But you would be amazed at how many organizations look at information security as a necessary evil. And
when I say a necessary evil, it's only necessary
when it's required by law or it's only necessary when the board members dictated. And it's one of those things we've got to go through, Um,
but if you have anybody in executive leadership that is not on board with the security function than the company culture, the company's architecture the company strategy is going to suffer for it, and we're gonna wind up failing to precut to proactively protector assets.
Then we're gonna have a security compromise and then all of that. And then finally, my guess would be
those executives are now gonna be on board with security after suffering a tremendous loss. Let's avoid that. Let's go ahead and be practice. Let's be proactive in our approach to security. All right, So this thing, this chief information security officer we've talked about the C I A. Triad.
Well, it's a sister who's responsible
for assessing the risks associated with C i O and creating the policies designed to ah si eso assessing the risks with C I A. And then developing and implementing policies that will protect confidentiality, integrity and availability.
They also serve kind of as a go between because they work with the other elements within senior management,
Chief executive officer, chief operations officer, chief financial officer. All of those folks are very important in providing security for the organization. So I'm constantly is a sizzle, working with each of those other officers, and sometimes I'm playing, you know, the game of selling security to them,
but ultimately is about managing risks and understanding what those risks are. So that's my job.
I'm gonna establish those policies or certainly make my recommendations for policies. I'm gonna make sure that their measurements and that we have an auditing mechanism in place so that we can determine if the policies and procedures are working and it's they're being followed and find out any issues of noncompliance. I also
would stress that part of my role as well in a very significant part of my role,
is to make sure we maintain compliance and their numerous regulations and legislation pieces that are out there that really dictate how we have to protect our information, whether it's, um,
health information, personally identifiable information, financial information, whatever that may be.
There. We have to look to the industry regulations and make sure that we're in compliance. That's my job is a sizzle as well.
And then, of course, making sure that I'm aware of emerging threats. If my organization is prepared for the threats of today,
we're already a step behind because Attackers are very forward thinking as soon as one mechanisms been secured, they're looking to find another vulnerability that they can exploit. So I have to be very knowledgeable and well versed
in emerging trends within the security fields as well. So a lot of responsibilities go to This is, um
now there are other roles within the organization not be familiar with. You know, we talked about the CEO, the chief executive officer, Well, there, that individual that has. Or that's the individual that has the ultimate say on implementations within the organization. And if we're talking about selling security,
the CEO has to be on board. Of course,
now the chief financial officer signs the checks. So this is someone that you want in your corner, and this is someone that you want to understand and especially the need for talking in terms of risk management. Rather than throwing a whole lot of terminology and acronyms and
and cyber Burbage at them, we really have to just break it down and speak in terms of lost potential
and cost of mitigating strategies.
Hey, uh, it's not here. There's some organizations have a separate chief information officer, making sure that there's an alignment between technologies. A lot of times that gets rolled up or the scissors rolled up in the C I O Row. Sometimes they're separate and sometimes not. And then I didn't mention on the slide. But the chief
operating officer, of course, that oversees the ultimate operations of the organization. Ultimately, when we look at having security audits and a security team that's designed for the purpose of audit, that actually wind up answering to the chief
operating officer rather than answer necessarily to the information security officer, because as a scissors oh, my job is to develop the plans and make sure that they're implemented. But the auditing teams gonna make sure that I've done my job well. So obviously they wouldn't be answering
other roles and responsibilities within the organization steering committee. Usually, this is ah, specific group. A lot of times you have steering committees directed towards solving a specific problem.
So you look a steering committee that's going to assess the possibility of opening a branch office in another location,
something like that. Auditors evaluate business processes. Of course, we've talked about them on Remember auditors, audit auditors don't fix problems, they document problems, and we return that to senior management to determine a means of correcting the problems they sound
are two additional rolls here. Data folders and data custodians. So when we talk about the older of the data, these are the folks that determine the classification of the dab It they determine the value of the data. They determine who should access the data.
So it's their data. Essentially, all those elements mean
they're the ones that evaluate the data. Okay, then it's the data custodian who is responsible for enforcing the security. So where is the data custodian May say, this should be classified as secret. I'm sorry. The data owner would say this should be classified as secret.
It's the custodian that implements the security controls that enforce that classification.
They're also responsible for backing up and being able to restore death. A lot of times, the custodian is a function of the I T department or the I s department. Okay. And then the final two rebels Network administrator in security administrator.
In many smaller organizations, the same individuals satisfied both these roles. That really is a problem from a round of separation of duties, because when we look at the network administrator there, specific function is availability to make network resource is available
now, the security administrator should be looking
to satisfy the security requirements first and foremost, so there's a little bit of a conflict of interest. But again, don't forget. Security administrators are there to make sure that security policies air being followed. We're gonna see audit is part of the security team. We want to make sure that someone's evaluating with the network administrator does,
so those two should really very much be separate Rose.