WEBVTT 00:00:00.990 --> 00:00:02.160 Congratulations. 00:00:02.170 --> 00:00:05.430 You've completed the Security Principles Domain for the 00:00:05.430 --> 00:00:07.870 Certified in Cybersecurity course. 00:00:08.300 --> 00:00:12.540 Let's do a quick summary of the important things we covered in this domain. 00:00:13.860 --> 00:00:16.450 This domain was divided into four sections, 00:00:16.620 --> 00:00:19.290 information security concepts and governance, 00:00:19.640 --> 00:00:25.110 risk management, security controls, and the ISC squared code of ethics. 00:00:25.860 --> 00:00:30.210 The first part we looked at, a very important foundational part, 00:00:30.300 --> 00:00:33.630 was information security concepts and governance, 00:00:34.000 --> 00:00:36.260 and here we looked at some key points. 00:00:36.530 --> 00:00:37.610 First of all, 00:00:37.780 --> 00:00:41.520 the security should not be an add‑on or an option or something 00:00:41.520 --> 00:00:44.410 we tried to put on top of a business process, 00:00:44.860 --> 00:00:45.630 but instead, 00:00:45.630 --> 00:00:50.190 it should be something built into and integrated with the business process. 00:00:50.780 --> 00:00:54.820 The security strategy should be aligned with to support 00:00:54.830 --> 00:00:57.600 business operations and strategy as well. 00:00:57.960 --> 00:01:00.840 We should do our work in a secure way. 00:01:01.930 --> 00:01:06.310 We also know that it's important to have oversight for the security program, 00:01:06.580 --> 00:01:12.270 and organizational governance and oversight requires management to personally 00:01:12.280 --> 00:01:16.600 own and be accountable for the security program as well. 00:01:16.930 --> 00:01:23.260 For many years, we've defined security using this idea of the CIA triad. 00:01:23.810 --> 00:01:27.390 This was a way to make security understandable and have 00:01:27.390 --> 00:01:29.380 a clear definition for everybody. 00:01:30.020 --> 00:01:33.100 So we use terms like confidentiality, 00:01:33.320 --> 00:01:36.200 dealing with things like secrecy and privacy, 00:01:36.620 --> 00:01:41.980 integrity, the accuracy of both processing and of the data itself, 00:01:42.220 --> 00:01:43.510 and availability, 00:01:43.680 --> 00:01:47.110 making sure that our systems and our data are 00:01:47.110 --> 00:01:50.180 available for use when they're required. 00:01:51.620 --> 00:01:54.650 One of the things that the foundation for a security 00:01:54.650 --> 00:01:58.230 program is the idea of risk management. 00:01:58.660 --> 00:02:02.390 Risk is something that is a natural part of business. 00:02:02.460 --> 00:02:07.990 We do not seek to eliminate risk, instead we seek to manage risk, 00:02:08.110 --> 00:02:10.759 but this means that risk must be owned. 00:02:10.949 --> 00:02:14.800 There must be somebody who is responsible for, 00:02:14.800 --> 00:02:17.590 first of all, identifying that risk, 00:02:18.210 --> 00:02:22.520 selecting and approving some type of risk treatment or risk response, 00:02:22.990 --> 00:02:27.030 and for monitoring for changes in the risk conditions. 00:02:28.080 --> 00:02:34.050 In the end, we want to ensure that all of the risk we face is acceptable, 00:02:34.380 --> 00:02:37.120 and we call this the risk acceptance level. 00:02:37.510 --> 00:02:40.950 It can only be determined by the person who owns the 00:02:40.950 --> 00:02:43.980 risk, which must be a senior manager. 00:02:45.070 --> 00:02:49.770 The goal of our risk management program is to ensure that all 00:02:49.780 --> 00:02:52.780 of our risk is now at an acceptable level. 00:02:53.320 --> 00:02:58.950 That means that the residual risk has been reduced to an area that 00:02:58.960 --> 00:03:02.620 either is equal to or less than risk acceptance. 00:03:03.220 --> 00:03:08.160 Residual risk as we remember is the level of risk that remains 00:03:08.160 --> 00:03:10.890 once the controls have been implemented. 00:03:12.550 --> 00:03:14.500 When we talk about controls, 00:03:14.510 --> 00:03:17.270 we're talking about a number of important things here. 00:03:17.760 --> 00:03:22.390 A control is something that's put in place to address a risk. 00:03:22.500 --> 00:03:25.650 It's the risk that justifies that control, 00:03:25.660 --> 00:03:31.270 and therefore, the control is there to try to mitigate or reduce that risk. 00:03:32.070 --> 00:03:36.310 We have two main types of controls, proactive controls, 00:03:36.310 --> 00:03:40.550 such as safeguards to try to make sure that bad things don't happen, 00:03:40.900 --> 00:03:42.290 and countermeasures, 00:03:42.390 --> 00:03:47.240 reactive controls that kick in once something bad has happened. 00:03:48.040 --> 00:03:51.300 We looked at three different types of controls, 00:03:51.390 --> 00:03:56.570 administrative, or sometimes called managerial controls such as a policy, 00:03:57.190 --> 00:04:01.710 technical, or sometimes called logical controls like a firewall, 00:04:02.060 --> 00:04:05.060 and physical and environmental controls, 00:04:05.120 --> 00:04:08.660 things like access control and power, for example. 00:04:10.070 --> 00:04:12.920 Then we looked at the ISC squared code of ethics. 00:04:13.280 --> 00:04:18.730 As certification holders, we are bound by this professional code of ethics. 00:04:19.060 --> 00:04:24.740 It is mandated for all certification holders and guides our behaviors, 00:04:25.050 --> 00:04:29.080 and failure to abide by the code of ethics could result in 00:04:29.080 --> 00:04:33.320 some type of a disciplinary activity as enforced by the 00:04:33.320 --> 00:04:35.930 board of directors of ISC squared. 00:04:35.930 --> 00:04:37.720 The next steps. 00:04:38.090 --> 00:04:40.160 We've completed the first domain, 00:04:40.480 --> 00:04:45.080 the foundational and the most important domain from an exam perspective, 00:04:45.420 --> 00:04:47.020 but now we need to move on. 00:04:47.620 --> 00:04:51.950 That means we should review and make sure we've understood what we've covered. 00:04:52.430 --> 00:04:58.020 We should seek to have an understanding of the concept, 00:04:58.030 --> 00:05:01.230 not just memorization of the topic. 00:05:02.220 --> 00:05:05.350 Do the sample questions to ensure we have the correct 00:05:05.350 --> 00:05:07.930 understanding as listed in the study guide, 00:05:07.940 --> 00:05:11.940 and then proceed to the next domain, Business Continuity, 00:05:12.040 --> 00:05:15.290 Disaster Recovery, and Incident Response.