okay, We move on to module thought, policies, procedures, standards and guidelines. Earlier, we looked at risks and we talked about how risks will shape our security strategy. And now we're gonna figure out how to make our security strategy work, how we're gonna bring it to fruition,
and that's gonna be through the use of our policies and our standard procedures and guidelines.
So as we get started here when we're looking at developing policies, you know, obviously risk management must come first. And then we have to take a look at the world in which we live in, or the environment which we operate. So we have to think about what are those things that constrain us? What are those things that absolutely
must we adhere to? So one of the bigger drivers is what sort of legislation? What sort of industry regulation, What sort of legal environment, You know, whether it's Sarbanes Oxley or Pippa. What are those influencers from the legal
community? Because that's gonna be a main main driver. Our security policy.
We also have to think about physical limitations in the environment which we operate, you know, um,
ours for security, our physical facility but also where we are. Great. Um, what are what is the availability that we have to resource is, um, you know all those areas that you know, what physical components do we have to work with?
Ethics and culture ethics vary from organization organization. Now, certainly there's sort of a universal code of ethics, but, um,
within our organization, the ethics may vary from that standard code. Maybe there's a higher code of ethics to which we perform culture, whether it's environmental cultures in the region in which we operate. Maybe it's company culture,
you know, we work within that. Like I said earlier, the military is certainly its own very unique culture and environment
costs are absolutely one of the biggest limitations. We always have a budget with men we have to operate.
And what we have to really focus on is making the most out of that budget and creating our security policies so that we get the most bang for the buck, so to speak. And we'll talk about what really we talked about that with risk analysis and getting the potential value for risk
and then making good cost benefit decision.
All right. Now, moving on personnel. Uh, can we do we have to operate in house? Can we outsource and procure? Other resource is Can we train our people if we don't have skilled personnel, maybe to do forensics investigations, or do we need to outsource that work
the structure of the organization and the hierarchy? You know, it depends on how we're organized, whether or not I have the ability Thio to develop and implement policies myself. Do we have to go through a hierarchy, A chain of command?
Also, we think about our resource is, and that comes down to money, technology, people. All those things we have at our disposal
capabilities. Again, this goes back to personnel. Can I train? Can I outsource how we're gonna make that work?
Also, time were very limited by a schedule when we look to implement some of these mechanisms, but also in the bigger picture. You know, um, the longer we exist without security policies and procedures in place, the more at risk we are.
And then last but not least, risk appetite, which we already talked about, was developed from senior management. They're the ones board of directors really determined. How much was risk or what their general philosophy is towards risks. That's the risk appetite.
So each of these elements are gonna constrain us when we do look at the policies that we develop
and we have to keep every one of these items in mind
now in relation to legal dry drivers, liability is one of our greatest concerns. Will I be held liable in the event of a loss? You know, senior management could be sued by their shareholders if they fail to appropriately protect the resource is of the organization.
Um, if I'm not in compliance with Pippa and I met and I'm a medical provider, there might be large finds, um, and my executing due diligence and do care as I looked to develop my policy, my security strategies and then my policies. So we have to think about those areas of liability.
Just a quick kind of cheapie definition,
due diligence and do care. You can think of due diligence being the research and do care being the action. So you're researching, then you act so due diligence is the research to cares the action
when we're considering liabilities. One of the things that can be determined that that might determine liability in a court of law, something called the Prudent Person. And I know it says Prudent man rule. But in all honesty, they they've reworked that to be a little bit more politically correct.
So it's the prudent, gender, non specific individual who
and what that prudent person rule says is based on a judge's discretion. It's their determination, whether or not I've acted responsibly and cautiously as a pregnant person would do.
OK, so that might help me avoid liability. If I have acted this such
now downstream liabilities, what that has to do with is three idea, and I think we're all should be on board with this. Just because I outsource work doesn't mean I've eliminated risks, right? I determine we can't meet our requirements in house, so I hire a contractor
Now that doesn't eliminate risks, right? That contracts. Sometimes it increases risks because, really, if you think about it, the contractor themselves may outsource to another contractor to another contractor. But any break this is work that's going outside of my organization,
so we're not eliminating risk. We're really transferring risks.
We're turning this over to a North. Another organization and maybe they will compensate us that there's some sort of failure. But ultimately the risks still exists, and we're still liable. So keep that in mind just because you outsource, you know, we think about the cloud. Really? All we're doing with the cloud is
turning over our data or our infrastructure or software service is
we're turning. There's over to a cloud service provider. So just because we send ah information to the cloud doesn't mean we've eliminated risks associated with that. So we keep in mind that this is our information. This is our data. We've been entrusted to protect it. And if we fail to do so,
the liability comes back on the bus.