WEBVTT 00:00:00.880 --> 00:00:05.880 We've probably all heard the expression in the past with its nobody's job, 00:00:05.890 --> 00:00:06.940 nobody does it. 00:00:07.340 --> 00:00:09.670 That's why this segment is so important. 00:00:09.960 --> 00:00:13.550 In order to have a good information security program, 00:00:13.560 --> 00:00:18.910 we need to have governance. That allows us to apply the concepts of 00:00:18.910 --> 00:00:23.600 information security in a good and reliable manner. 00:00:24.400 --> 00:00:28.260 We can say the governance starts with understanding the laws, 00:00:28.600 --> 00:00:33.620 making sure that our organization is aware of and compliant with those laws, 00:00:33.940 --> 00:00:37.520 and that those derive the strategy, the mission, 00:00:37.530 --> 00:00:39.420 the goals of the organization. 00:00:40.310 --> 00:00:45.790 From that strategy, we develop a policy, how we are going to do business, 00:00:45.800 --> 00:00:46.830 and of course, 00:00:46.840 --> 00:00:51.640 from the policy the procedures of the steps that we will actually follow. 00:00:52.470 --> 00:00:55.340 Governance creates accountability. 00:00:55.740 --> 00:00:59.620 So someone is held personally accountable or we 00:00:59.620 --> 00:01:01.680 could say responsible for something. 00:01:02.280 --> 00:01:06.690 That brings in the idea of oversight, and of course, 00:01:06.710 --> 00:01:10.240 when a manager is committed and accountable, 00:01:10.250 --> 00:01:15.380 hopefully they also provide leadership so that he or she can make 00:01:15.380 --> 00:01:19.590 sure that there is direction provided support, 00:01:19.600 --> 00:01:22.250 of course, for the security program. 00:01:22.870 --> 00:01:25.170 This means that we must communicate. 00:01:25.330 --> 00:01:31.350 We communicate and support the ideas of policies and procedures. 00:01:31.610 --> 00:01:36.460 The purpose of policies and procedures is to make the theory of things 00:01:36.460 --> 00:01:40.650 like our strategy and our mission real and practical. 00:01:42.870 --> 00:01:47.330 A lot of this comes down to the idea of information assurance. 00:01:47.450 --> 00:01:49.990 What is the confidence we have? 00:01:50.000 --> 00:01:52.870 Well that comes from doing good things. 00:01:53.020 --> 00:01:56.580 In other words, when we achieve good practice, 00:01:56.590 --> 00:02:00.590 we have assurance that we're doing the right things including 00:02:00.720 --> 00:02:04.740 providing adequate security for our systems and data. 00:02:05.080 --> 00:02:08.610 We're protecting our customers data, our employees, 00:02:08.620 --> 00:02:12.110 and we're protecting the future of the organization by 00:02:12.110 --> 00:02:16.100 protecting the confidential information that should be kept 00:02:16.100 --> 00:02:18.090 from other people's knowledge. 00:02:18.480 --> 00:02:22.820 We can say that data and information are two of the most 00:02:22.820 --> 00:02:26.020 valuable assets of most organizations. 00:02:26.280 --> 00:02:29.400 Their customer lists, for example, their research, 00:02:29.400 --> 00:02:32.430 these are all of the things that, in many ways, 00:02:32.470 --> 00:02:38.130 will determine whether or not the organization can be profitable and successful. 00:02:38.570 --> 00:02:42.280 We need to protect data and the data, of course, 00:02:42.290 --> 00:02:45.920 represents anything which is just like numbers, 00:02:45.930 --> 00:02:46.750 letters. 00:02:47.090 --> 00:02:49.660 Information is data with meaning. 00:02:50.640 --> 00:02:55.890 We must protect data all the way through what we call the data lifecycle. 00:02:56.260 --> 00:02:59.980 The data lifecycle starts when we first receive that data, 00:03:00.330 --> 00:03:04.540 then we store, process it, share it, archive it, 00:03:04.550 --> 00:03:05.360 delete it. 00:03:05.370 --> 00:03:07.140 All the way through, 00:03:07.330 --> 00:03:11.030 we must protect the data in all forms that it's in, 00:03:11.060 --> 00:03:14.060 whether or not it's written or electronic, 00:03:15.270 --> 00:03:22.170 whether or not it's spoken or video, we protect it in all forms and at all times, 00:03:22.350 --> 00:03:25.270 so we make sure it's not that it's protected sometimes, 00:03:25.270 --> 00:03:27.530 but other times as unprotected. 00:03:28.100 --> 00:03:32.180 And of course, that means we protect it in all places as well. 00:03:32.450 --> 00:03:37.010 Data can often end up on several different systems in different departments. 00:03:37.240 --> 00:03:41.120 Is it protected consistently in all of those places? 00:03:42.490 --> 00:03:46.300 Why do we care about information assurance or why do 00:03:46.300 --> 00:03:48.550 we care about information security? 00:03:49.070 --> 00:03:52.910 Because we need to comply with laws and regulations. 00:03:53.270 --> 00:03:58.390 Many organizations are bound by different types of laws and regulations 00:03:58.520 --> 00:04:04.990 depending on the industry sector they work in, but almost all businesses 00:04:05.000 --> 00:04:08.640 are covered then by some type of privacy law. 00:04:09.450 --> 00:04:15.270 Privacy law says we have to keep private or confidential information 00:04:15.270 --> 00:04:18.760 about individuals a little different from secrecy, 00:04:19.079 --> 00:04:23.080 which is more about protecting information from military 00:04:23.080 --> 00:04:26.200 governments and the organization itself. 00:04:26.950 --> 00:04:32.560 Privacy laws often deal with what we call personally identifiable information, 00:04:32.990 --> 00:04:37.220 information that could be used to identify an individual, 00:04:37.220 --> 00:04:40.380 or in some cases, that individual's location. 00:04:40.930 --> 00:04:45.470 We also have PHI, protected health information, 00:04:45.480 --> 00:04:49.340 which is health information about individuals as well. 00:04:50.060 --> 00:04:52.620 We've seen many different privacy laws. 00:04:52.620 --> 00:04:56.150 In Europe, we have the General Data Protection Requirements, 00:04:56.160 --> 00:05:01.270 GDPR. We've seen a number of cases in healthcare where we've got 00:05:01.280 --> 00:05:05.630 acts such as HIPAA. And in the financial sector, 00:05:05.640 --> 00:05:08.330 we have laws dealing with the protection and the 00:05:08.330 --> 00:05:13.450 rights to use people's financial data, the Gramm‑Leach‑Bliley Act, 00:05:13.700 --> 00:05:16.100 the Sarbanes‑Oxley Act, for example. 00:05:16.730 --> 00:05:18.340 In all of this, 00:05:18.610 --> 00:05:24.420 we want to develop an information program that supports the business 00:05:24.420 --> 00:05:30.460 goals so that we have assurance that we really are working towards 00:05:30.460 --> 00:05:33.650 the long‑term good of the organization. 00:05:34.800 --> 00:05:36.990 So what makes up security? 00:05:37.440 --> 00:05:41.350 The elements of security are people, technology, 00:05:41.580 --> 00:05:46.030 and of course, physical and environmental concerns as well. 00:05:46.510 --> 00:05:52.240 We can say that the end goal of our security program is that we have the 00:05:52.240 --> 00:05:56.740 right people doing the right things in the right way. 00:05:57.320 --> 00:06:02.200 We have people that use technology in a secure manner and 00:06:02.200 --> 00:06:05.860 that technology is installed and implemented in a 00:06:05.860 --> 00:06:08.680 physically secure environment as well. 00:06:10.570 --> 00:06:12.040 A key points review. 00:06:13.180 --> 00:06:17.010 The idea is that security is here to support business. 00:06:17.200 --> 00:06:20.550 It is not to constrain or restrain the business, 00:06:20.630 --> 00:06:26.150 but rather support what the business needs so it has reliable functions. 00:06:26.770 --> 00:06:27.940 In this way, 00:06:27.950 --> 00:06:32.660 we provide assurance or confidence to management that security is 00:06:32.660 --> 00:06:36.280 helping the business to succeed and meet its mission. 00:06:37.210 --> 00:06:40.270 We see that security is more than just technology, 00:06:40.600 --> 00:06:43.050 it's not just about putting in equipment, 00:06:43.330 --> 00:06:46.800 but having people trained in how to use that equipment, 00:06:46.810 --> 00:06:52.610 and of course, also having physical and environmental security as well.