WEBVTT

00:00.770 --> 00:01.940
Now I don't know about you.

00:01.960 --> 00:07.220
But if you've been watching these episodes in order you probably be in a little bit of a panic right

00:07.220 --> 00:07.770
now.

00:07.790 --> 00:16.490
We've got all of this I-T governance and risk management and security controls and processes and policies

00:16.490 --> 00:17.690
and holy smoke.

00:17.690 --> 00:19.440
There is a lot to this.

00:19.670 --> 00:26.770
So if you were to walk into an organization that suddenly said Help us help us we have no security.

00:26.930 --> 00:31.850
Just the organizational process is a massive massive job.

00:31.850 --> 00:38.570
So how do you as an I.T. security professional just start the process of making all this happen.

00:38.720 --> 00:42.870
Well that is the job of what we call frameworks.

00:42.950 --> 00:51.110
A framework is nothing more than a process idea almost like project management almost like a list of

00:51.230 --> 00:58.070
the big things you got to do as an I.T. Security thing that helps you as a professional provide the

00:58.070 --> 01:02.710
type of organization to give good I.T. Security to your infrastructure.

01:02.710 --> 01:08.310
Now a framework is not going to be much more than a bunch of boxes and a lot of overview stuff.

01:08.510 --> 01:10.330
But they are very very important.

01:10.330 --> 01:12.530
There's lots of frameworks out there.

01:12.530 --> 01:17.660
There are regulatory frameworks that certain organizations absolutely must use.

01:17.810 --> 01:20.480
There's a lot of non regulatory were just organizations.

01:20.480 --> 01:21.910
So this is a really good way to do it.

01:22.010 --> 01:24.090
And some people abide by those.

01:24.140 --> 01:26.440
We have national standards.

01:26.480 --> 01:30.500
We have international standards that define these types of frameworks.

01:30.590 --> 01:36.260
And there's also industry specific frameworks that are usually defined for one particular organization

01:36.830 --> 01:41.540
to give you some examples of these types of frameworks Well I'm an NIST guy so let's start with probably

01:41.540 --> 01:44.060
the most famous of all of these frameworks.

01:44.060 --> 01:52.880
Good ole Espey 837 this massive document is the first go to place for I.T. security professionals who

01:52.880 --> 01:57.130
want to be able to understand how to perform a risk management framework.

01:57.130 --> 02:04.730
Now keep in mind that this is also a national standard and it's also at least in terms of United States

02:04.730 --> 02:06.110
federal organizations.

02:06.110 --> 02:08.050
It's a regulatory one as well.

02:08.060 --> 02:13.610
Now for somebody like me I just like the risk management framework so it's not going to be regulatory

02:13.610 --> 02:15.560
for me very much non regulatory.

02:15.560 --> 02:20.780
But as a private organization these are free public documentations that everybody knows about them.

02:20.870 --> 02:23.300
So we all tend to use them now.

02:23.390 --> 02:29.030
A good example of a non regulatory would be the good ole Ayas ACA I.T. infrastructure.

02:29.040 --> 02:34.110
Now this is published by I as a CA and a lot of people follow these guys as well.

02:35.140 --> 02:42.070
In the international world Google ISO 27000 definitely defines a risk management framework that people

02:42.070 --> 02:44.050
all over the world can use.

02:44.050 --> 02:49.150
Now if you want to terrify yourself Jim just putting all kinds of fear in your life today aren't what

02:49.150 --> 02:54.370
you need to do is go into Google and I want you to type in risk management framework.

02:54.370 --> 02:57.640
Hit enter and then don't look at the Web results.

02:57.640 --> 02:59.280
Look at the image results.

02:59.320 --> 03:04.380
There are gazillions of these management frameworks and they're all absolutely fine.

03:04.390 --> 03:10.180
Different types of people might use different ones but for me because I'm an NIST guy what I'd like

03:10.180 --> 03:15.790
to do is take a minute and let's go through the NIST risk management framework.

03:15.790 --> 03:19.920
So what you're looking at right here folks are the six steps of NIST.

03:19.990 --> 03:21.790
Risk management framework.

03:21.790 --> 03:25.870
So what I want to do at this point is just do a quick run through on each one of these so you can get

03:25.870 --> 03:33.400
an idea of the big steps that we use when it comes to organizing the security for our infrastructure.

03:33.400 --> 03:37.570
So number one that's a big one and that is categorize your information systems.

03:37.570 --> 03:42.070
Now what we're talking about big categorizing them is that we really need to have an understanding not

03:42.070 --> 03:46.930
only I'm not saying to just count routers I mean you definitely do that at this part in counting the

03:46.930 --> 03:48.570
number of Windows systems you have.

03:48.640 --> 03:54.820
But more importantly you have to really categorize your workflows and your processes and your vendors

03:54.820 --> 03:57.770
and all of your different organizational inputs and outputs.

03:57.940 --> 04:02.830
And this is a big job and one of the most important first steps you can do when it comes to getting

04:03.040 --> 04:06.800
everything organized using this particular risk management framework.

04:06.910 --> 04:12.300
So you end up generating this huge list of different types of assets and workflows and processes.

04:12.310 --> 04:18.160
So the second thing you're going to have to do then is you're going to have to select security controls.

04:18.160 --> 04:23.070
Now we've already covered security controls in other episodes so I don't need to develop that again.

04:23.230 --> 04:27.730
But at this point you need to start looking at all of the different things that are taking place and

04:27.730 --> 04:34.300
based on regulations and laws and standards and best practices and common sense you start to say well

04:34.300 --> 04:35.310
I want to do this.

04:35.440 --> 04:37.540
We're going to use big passwords.

04:37.540 --> 04:46.030
We're going to set everything to WPA two shared key with a minimum of 30 character password whatever

04:46.030 --> 04:46.870
it might be.

04:46.870 --> 04:50.220
You begin to select all of these different controls.

04:50.250 --> 04:56.770
Now interestingly enough though let's take a look at the third step and that is implement security controls

04:57.070 --> 04:59.980
that you would think well if you're selecting them aren't you implementing them.

04:59.980 --> 05:06.460
Not at all the process between somebody sitting at a desk going oh these are good ideas versus the screwdriver

05:06.460 --> 05:11.050
guys who actually have to start implementing all of these different types of controls can be a really

05:11.050 --> 05:12.050
big step.

05:12.100 --> 05:16.900
And as we start implementing different types of controls all said we'd run into little problems here

05:16.900 --> 05:22.750
and there but we need to appreciate that that is a big step and very important that we keep that separated

05:23.020 --> 05:25.620
from simply selecting the controls.

05:25.660 --> 05:29.090
Now fourth is assess the security controls.

05:29.110 --> 05:34.180
Now this has always been a bit of a weird one to me because if I'm applying to security control I'm

05:34.180 --> 05:37.620
going to be watching what it does but that's not what they're talking about here.

05:37.780 --> 05:43.960
What they're talking about is before we really put all this online whatever it might be let's verify

05:43.960 --> 05:49.150
that everything works the way that we want it to do our best due diligence that we can to make sure

05:49.150 --> 05:55.360
that if we require everybody to have a new password every 30 days that we understand that that's going

05:55.360 --> 06:00.670
to have some pretty big implementation issues and a lot of problems with the administration as well

06:00.670 --> 06:02.070
as people forget their password.

06:02.080 --> 06:07.180
So that's where Step 4 is all about as we're assessing what that process is going to be in a lot of

06:07.180 --> 06:08.620
times in this particular case.

06:08.650 --> 06:13.030
This is all done through what we call a sandbox a separate little network where we're testing stuff

06:13.030 --> 06:14.500
to see how it all works.

06:15.260 --> 06:16.970
So Step Five is the big one.

06:16.970 --> 06:20.780
Step Five is authorizing the controls so we've got all this set up.

06:20.860 --> 06:22.340
Everything is ready to rock and roll.

06:22.470 --> 06:23.760
We've know how to do it.

06:23.780 --> 06:25.270
We've got the procedures down.

06:25.340 --> 06:25.990
We've assessed it.

06:26.000 --> 06:30.710
We feel that it works pretty good at some point there has to be some big boss up there who goes all

06:30.710 --> 06:32.590
right let's do this.

06:32.600 --> 06:36.970
I'm willing to accept the risk and behalf of the company or organization or whatever it might be.

06:37.190 --> 06:42.440
Let's let's go ahead and authorize them authorization becomes very important in specially if something

06:42.440 --> 06:47.300
goes wrong and we need to point a finger at somebody that's not necessarily to fire people but at least

06:47.300 --> 06:50.040
you know lessons learned type scenarios.

06:50.090 --> 06:55.730
Understanding who makes the authorization can often be an important point in that framework.

06:55.850 --> 07:00.130
The next one is monitor and that's where OK everything's up and running and cooking.

07:00.140 --> 07:01.560
Let's watch the control.

07:01.640 --> 07:07.160
Let's stay on top of this control see what it's doing is it doing the job we wanted to is it restricting

07:07.160 --> 07:08.380
people too much.

07:08.390 --> 07:14.360
Is it mitigating or eliminating the risk whatever it's designed to be implemented for and let's make

07:14.360 --> 07:15.970
a judgment on it.

07:15.980 --> 07:19.290
So then what really happens as it's been monitored.

07:19.460 --> 07:21.710
We really kind of repeat this whole process.

07:21.740 --> 07:23.930
So we come right back to categorization.

07:24.050 --> 07:26.840
Now in this case we're not having to reinvent Toria everything.

07:26.840 --> 07:31.160
But what we're more doing now is as a result of the monitoring we begin to understand things like for

07:31.160 --> 07:37.940
example hey the way these guys set up this enterprise level radious server really worked well.

07:37.970 --> 07:44.570
So maybe we can go ahead and categorize all of our wireless networks and put them all into radious servers.

07:44.630 --> 07:50.670
So literally what happens here is as we take a look at all six of these steps it becomes a big loop

07:50.870 --> 07:53.570
and we just keep doing this and doing this and doing this.

07:53.810 --> 07:58.250
And the most important thing is as you get to do it forever and thats why they call it a job.

07:58.250 --> 07:59.700
So good luck to you.

07:59.720 --> 08:01.200
I.T. security professional.