Information Security Governance

Video Activity

This lesson will cover information security governance within the role of the CISO. Information security governance is the set of responsibilities and practices implemented by the board and senior management for protecting the C-I-A of information. Information security governance should, therefore: Provide long-term goals and short-term objectives ...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
3 hours 54 minutes
Difficulty
Advanced
CEU/CPE
4
Video Description

This lesson will cover information security governance within the role of the CISO. Information security governance is the set of responsibilities and practices implemented by the board and senior management for protecting the C-I-A of information. Information security governance should, therefore:

  • Provide long-term goals and short-term objectives
  • Include metrics by which to determine success
  • Be based on sound risk management principals
  • Ensure that the enterprise's resources are used appropriately
  • Require an in-depth understanding of the value of an organization's information

Ultimately the responsibility for information security must rest upon the organization's executive level. Information security is an executive responsibility because: - If an organization's senior management, including the boards of directors, senior executives, and all managers does not establish and reinforce the business need for effective enterprise security; the organizations desired state of security will not be articulated, achieved, or sustained

  • To achieve a sustainable capability, organizations must make enterprise security the responsibility of leaders at the governance level and not of other organizational roles that lack the authority, accountability, and resources to act and enforce compliance

Security is a non-negotiable aspect of the business environment, because if you don't protect your information you will be out of business.

Video Transcription
00:04
Okay, moving along. Let's take a look at module to. And this is where we really start to get into more meat of the material. Let's go ahead and talk about information, security, governance and what its impact is on the organization.
00:18
So if we look at this particular diagram, this comes to us from my Sacha there, the organization that put out frameworks like Kobe and Co. So
00:27
on you may be familiar with This is Amore, says Exam. Those all come from my Sacha, and this particular diagram really shows the business processes on. If you look at the main processes, we have the organization as a whole and from that stemming down to the processes within our organization,
00:47
the people in technology and then I like to think of of the elements as you know, really on, kind of like bungee cords between
00:56
each of the major processes, you've got culture and governance and architecture, and the reason, I say kind of think of them as bungee cords or let elastic bands is because if you pull one out of perspective, it affects the rest of the organization as a whole, right?
01:12
So if the architecture for instance,
01:15
doesn't really support what we're trying to do as an organization. Will that throws everything off base or if governance isn't their company culture isn't there. So ultimately in this diagram, what we really see your the four main elements organization are processes our technology and our people,
01:36
and at the base of that try it.
01:37
Our process is air driven by our technology and the capabilities of our people. And you noticed the band connecting people in technology, human factors and that really being the
01:49
base of the triangle and that ultimately is the weakest point here within our organization. You know, if you were to ask most people
01:59
where the weakness in my organization is hopefully today, we understand that it comes from the inside and absolutely
02:07
bad guys. There are many bad guys outside many issues with connective ity to public networks such as the Internet. Absolutely. But if you look at historical information, about 80% of all fraud
02:20
is initiated inside, not to mention the fact that security vulnerabilities don't even have to be the result of malicious attack, you know, user accidentally deleting a critical file. That file's gone, whether it was intentional or not, or,
02:36
ah, someone in the organization giving out sensitive information
02:39
to an attacker. They didn't mean to, but they violated policy, and ah allowed an attacker to have a leg up and have some internal knowledge. So the human factors are very, very significant.
02:52
But if you start at the top, the organization as a whole, this is really where governance starts. That piece were senior management isn't of the is involved. They determined the organizational strategy,
03:07
how the organizations to be designed and what are, you know, ultimate approach to security is
03:14
now from senior management, you know, you see down in the centre governance, absolutely. And they have two governments such a way that supports their strategy. So ultimately, the strategy is what we want to accomplish, what the governance will help us get there. That's where our policies and procedures come into play.
03:30
You'll also note notice company culture and company culture is huge. How my organization behaves when our climate, you know, whether it's politically speaking or what our approach and our general environment is. That's huge in the realm of security.
03:50
For those of you that work in the government or military, you know that you have a very unique culture.
03:54
Ah, if you're in the private sector in a commercial industry, Ah, that provides medical service is well, your culture is driven, perhaps based on a need to maintain compliance with HIPPA. Or you could be more subjective organization, the upper senior management.
04:14
They really drive the culture of the organization.
04:15
If senior management doesn't believe in information, security or security as a whole, then you'll find your users don't believe in it either. So culture stems down
04:27
architecture also, that's the environment we've created with their devices. That's the framework on which we've built her organization and the elements that we've implemented. All right now, people processes technology. When we talk about the link between people and processes emergence,
04:46
new things happening
04:47
all the time. New technologies, air coming out, new processes are in place and how we and able and support those new processes will determine whether or not they're successful. So I think that's actually a very good diagram that eye socket gives us, because it really helps us kind of see the business model
05:08
and the business as a whole in House security
05:11
is affected by so many different elements and inter related bans, if you will, so good diagram for my second
Up Next
Chief Information Security Officer (CISO)

In this CISO certification training, you will learn what other CISO's are focusing their time and attention on. Among the key topics, you will learn how to implement the proven best practices that make for successful cyber security leadership.

Instructed By