WEBVTT

00:00.690 --> 00:06.870
If a security control is the cornerstone of everything that an I.T. security person does well then that

00:06.870 --> 00:12.900
kind of begs the question where do they come from learning the standard type of organization is going

00:12.900 --> 00:17.840
to have tens of thousands hundreds of thousands zillions of different security controls.

00:17.850 --> 00:25.170
And if I as an I.T. security person I'm going to apply and manage and adjust these things well I have

00:25.170 --> 00:26.300
to start with something.

00:26.550 --> 00:33.210
And we do that and we do that through a process known as governance now governance is nothing more than

00:33.210 --> 00:38.790
the set of overarching rules that define how an organization and its personnel conduct themselves.

00:38.920 --> 00:43.760
Well that sounds easy enough but governance is a big topic and covers a whole lot more than 90 security

00:43.770 --> 00:48.140
so what we're going to be talking about is I.T. security governance.

00:48.240 --> 00:53.610
And those are the set of overarching rules that define how an organization and its personnel conduct

00:53.610 --> 00:55.520
their I.T. Security.

00:55.830 --> 00:58.840
So to do this we have to get some type of sources.

00:58.860 --> 01:04.920
And there's a lot of sources out there and we take these sources and we start to build up our set of

01:04.920 --> 01:05.440
rules.

01:05.520 --> 01:09.150
So let's take a look at the different type of sources that we use.

01:09.210 --> 01:14.590
The first source for security governance are laws and regulations.

01:14.610 --> 01:18.570
There are lots of laws and regulations out there that affect our I.T. security.

01:18.570 --> 01:23.700
A great example would be here in the United States PIPA which is used by health care professionals and

01:23.700 --> 01:27.060
how they take care of personal data.

01:27.060 --> 01:32.400
Second our standards now in standards we can really break this into two different types.

01:32.430 --> 01:34.540
First what we called government standards.

01:34.590 --> 01:38.900
So here in the U.S. it's going to be the National Institute of Standards.

01:39.030 --> 01:44.980
In Europe it might be ISO but these are organizations that provide specific standards on how to do I.T.

01:45.000 --> 01:46.170
Security.

01:46.170 --> 01:53.850
Secondly though our industry standards and probably the one best example of that is PCI DSS anybody

01:53.850 --> 02:02.730
who works with a credit card on the Internet in any way shape or form deals with PCI DSS standards.

02:02.730 --> 02:10.680
Third are best practices best practices are just how different people tell you the best way to do their

02:10.680 --> 02:11.520
stuff.

02:11.520 --> 02:17.250
And the most famous of these are the Microsoft best practices that define tens of thousands of ways

02:17.670 --> 02:25.860
to properly do a Microsoft Network forth and probably the most fun one is called common sense that experience

02:26.340 --> 02:29.290
common sense and experience are really really important.

02:29.400 --> 02:34.530
And really what it boils down to is thinking what's worked in the past what have I understood to be

02:34.530 --> 02:38.520
the best way to do something and what just sounds right.

02:38.610 --> 02:44.340
Once we take a look at all of these sources for governance our next job is to create two very different

02:44.340 --> 02:45.510
types of documents.

02:45.660 --> 02:52.680
First or what we call policies a policy is a document a document that you can hold in your hand that

02:52.680 --> 02:55.280
defines how we're going to be doing something.

02:55.320 --> 03:01.440
So a good example would be an acceptable use policy that says to the employees what they can and can't

03:01.440 --> 03:04.600
do on the organization's equipment.

03:04.600 --> 03:07.050
Now policies have some certain effects.

03:07.050 --> 03:09.760
First of all they're going to be very broad in nature.

03:09.880 --> 03:12.070
They're not going to have a lot of definition to them.

03:12.090 --> 03:14.580
We will always use strong passwords.

03:14.580 --> 03:18.420
Secondly they can be used as directives.

03:18.420 --> 03:20.940
A policy is always going to say we will do this.

03:20.940 --> 03:24.420
This will take place so they're very directive in nature.

03:24.420 --> 03:28.600
Third they are often used to define roles and responsibilities.

03:28.650 --> 03:34.560
So there's usually some organizations policy that says we will always have a chief information security

03:34.560 --> 03:38.300
officer and there will be three security analysts under that position.

03:38.310 --> 03:39.700
That type of stuff.

03:39.780 --> 03:41.960
So policies are important.

03:42.120 --> 03:47.220
And in a typical organization you can see a lot of these in fact I'll bet a nickel that if you've ever

03:47.300 --> 03:50.560
went and got a job with somebody you probably had to sign a few of these.

03:50.640 --> 03:54.470
You often see security policies in place with new hires.

03:54.840 --> 04:01.890
Now the second type of document is what I call an organizational standard organizational standards are

04:01.890 --> 04:04.050
much more detailed than a policy.

04:04.110 --> 04:07.660
It's going to define the level of performance for our policy.

04:07.680 --> 04:15.540
So if we have a password policy that says on paper that we will use strong passwords a organizational

04:15.540 --> 04:21.450
standard for passwords is going to say things like It must be 12 characters alphanumeric and it has

04:21.450 --> 04:24.220
to be changed every three months or something like that.

04:24.240 --> 04:27.300
So there's a big difference between the two.

04:27.300 --> 04:33.450
In fact even though there is a big difference what you'll see a lot of times is that for some organizations

04:33.720 --> 04:37.320
they'll go ahead and incorporate the standards into policies.

04:37.320 --> 04:41.160
Now I know that almost seems different from the definition I gave you but it does happen.

04:41.280 --> 04:46.580
And so you'll see a lot of organizations they don't really have organizational standards per se.

04:46.590 --> 04:50.410
They just have policies that are a bit more detailed than what you would normally expect.

04:51.860 --> 04:52.570
OK.

04:52.710 --> 04:59.070
So we've taken all this stuff we put it together we've picked from all of our sources develop X number

04:59.070 --> 05:02.970
of policies and potentially X number of organizational standards.

05:02.970 --> 05:06.660
Now the interesting thing is well where do the security controls come from.

05:06.690 --> 05:10.690
And the answer is they're really in the policies and standards.

05:10.830 --> 05:17.610
It's hard to find an organization that lists every one of its security controls in a big Excel spreadsheet.

05:17.640 --> 05:19.250
OK we'll do our place to see that.

05:19.260 --> 05:20.950
But we'll talk about that later.

05:21.210 --> 05:26.910
What you usually see is that the security controls are actually defined within the policies and standards

05:26.910 --> 05:31.470
that say you know this is how we do this security control that security control.

05:31.470 --> 05:37.980
So there's not usually a big list of security controls and you can look at it as a separate item sometimes.

05:38.380 --> 05:44.010
All right but we now do have detailed policies and organizational standards that tell us what we need

05:44.010 --> 05:44.760
to do.

05:45.180 --> 05:47.060
But it doesn't tell us how to do it.

05:47.190 --> 05:50.430
And that's where procedures come into play.

05:50.430 --> 05:58.080
A procedure is like the name implies a step by step process of how you do something and how to go into

05:58.080 --> 06:03.130
Windows server and set up password complexity as a security policy whatever it might be.

06:03.330 --> 06:08.400
So procedures define how we actually do it in a step by step manner.

06:08.960 --> 06:09.900
OK.

06:10.020 --> 06:11.790
How's that for a little introduction to governance.

06:11.790 --> 06:17.570
Let's take a minute right now and let's just kind of take a picture of all these guys together.

06:17.580 --> 06:20.320
So here is my graphic of governance.

06:20.320 --> 06:26.220
So first of all we're going to start with sources so things like laws and regulations best practices

06:26.480 --> 06:30.930
common sense all these types of things that are going to put these guys at the top here.

06:30.950 --> 06:31.530
OK.

06:31.620 --> 06:37.140
So an I.T. professional looks at all these sources or knows about all these sources and then begins

06:37.140 --> 06:42.070
to build policies and standards from these policies and standards.

06:42.120 --> 06:48.960
What we are in essence creating is a big pile of security controls which are not separately there within

06:48.960 --> 06:51.510
the policies and standards but they are there.

06:51.780 --> 06:58.590
Once we have all of this together we then end with procedures that tell us how to actually make each

06:58.590 --> 06:59.790
one of these happen.

07:00.000 --> 07:03.140
And that my friends is what governance is all about.

07:03.300 --> 07:11.070
If you really think about it governance in its most core function is to actually make the right set

07:11.070 --> 07:13.650
of security controls for your organization.

07:13.650 --> 07:18.030
And this is the process we use to get those security controls up and running.

07:18.030 --> 07:21.680
Now I want you to remember that graphic because you're going to see it again in later episodes.

07:21.780 --> 07:25.720
As we talk about a few other things I'm going to keep it a mystery for a moment.

07:25.830 --> 07:28.750
So that's the basics of governments however.

07:28.860 --> 07:35.920
I get to add one more thing guidelines there is one more part of guidelines that helps us develop our

07:35.920 --> 07:37.610
big pile of security controls.

07:37.780 --> 07:42.330
A guideline unlike anything else we've ever talked about is considered something optional.

07:42.460 --> 07:48.580
It's an idea where you know usually we run a cable like this where it doesn't have to be clearly defined

07:48.850 --> 07:51.790
but it gives us an idea of how we tend to do things.

07:51.790 --> 07:57.400
The important thing to remember is that everything else is required and guidelines are optional

07:58.240 --> 08:02.460
in

08:05.110 --> 08:10.840
an

08:12.300 --> 08:16.790
on.