Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,330 --> 00:00:06,689
We are now going to discuss some key components of security governance. These components are important
2
00:00:06,689 --> 00:00:13,860
in order to ensure a decent and secure security posture of organisations. Mainly, we will be discussing
3
00:00:13,860 --> 00:00:16,390
policies, standards and procedures.
4
00:00:16,860 --> 00:00:21,590
We're going to have a look at what do these entail and what are the differences between them.
5
00:00:23,570 --> 00:00:27,680
If you look at the security governance pyramid, we have policies at the top.
6
00:00:28,560 --> 00:00:35,040
Now policies are organisation wide, they are high level and broad natured in scope. Usually policies
7
00:00:35,040 --> 00:00:42,270
are defined for long term and they span several years typically. Policies defined responsibilities both
8
00:00:42,270 --> 00:00:44,130
for management and the users.
9
00:00:45,010 --> 00:00:49,120
Now policies are few in number, they're high level and broad-natured.
10
00:00:50,660 --> 00:00:56,690
But then we have standards which highlight the rules which are needed to achieve the intent of the policy.
11
00:00:57,440 --> 00:01:00,500
So standards would be more in number compared to policies.
12
00:01:02,100 --> 00:01:08,460
And just below standards, we have procedures which are basically specific steps needed to realize the
13
00:01:08,460 --> 00:01:15,510
rules specified by the standard. Now the basic aim of procedures, is to train employees and ensure
14
00:01:15,510 --> 00:01:19,030
consistency in security related business processes.
15
00:01:19,560 --> 00:01:25,110
What it means is that if you have a standard operating procedure and you have documents which lists
16
00:01:25,120 --> 00:01:31,830
the specific steps needed to be taken in a particular situation, then it doesn't matter which employee
17
00:01:31,830 --> 00:01:33,350
is implementing those steps.
18
00:01:34,020 --> 00:01:38,310
You'll have a consistency of results and a consistency of process.
19
00:01:39,150 --> 00:01:44,580
This is very important because if you don't have standard operating procedures, then different employees
20
00:01:44,580 --> 00:01:46,710
are going to take different routes.
21
00:01:47,100 --> 00:01:51,720
They may take different steps, which may lead to different results. So consider
22
00:01:51,720 --> 00:01:55,680
for example, there is a phishing attack on your organization that has been detected.
23
00:01:56,100 --> 00:02:02,040
If you have proper procedures, how to address that phishing attack starting from step one to the last
24
00:02:02,040 --> 00:02:07,320
step, then you will be in a better position to ensure the sanctity of your security posture.
25
00:02:08,610 --> 00:02:15,300
We also have guidelines which basically reside at the same level of the pyramid as procedures. Guidelines
26
00:02:15,300 --> 00:02:21,180
are optional recommendations, which means that they are suggested best practices, but not mandatory.
27
00:02:24,790 --> 00:02:31,510
In order to have a clear understanding about what policy standards and procedures entail, what are
28
00:02:31,510 --> 00:02:37,210
the differences between them and how to structure them, we can take the example of passwords and we'll
29
00:02:37,210 --> 00:02:40,360
design the policy, the standard and procedures.
30
00:02:41,990 --> 00:02:48,530
So the password policy states that passports must be strong, they should be regularly rotated and users
31
00:02:48,530 --> 00:02:51,000
are responsible for safeguarding their passwords.
32
00:02:51,650 --> 00:02:57,500
If you notice, the policy is quite broad and generic in nature and specific things are not mentioned.
33
00:02:57,860 --> 00:03:00,230
So, for example, they've said passwords must be strong.
34
00:03:00,260 --> 00:03:01,750
Now, this is a general statement.
35
00:03:02,000 --> 00:03:06,520
They have not specified how strong or how to select strong passwords.
36
00:03:07,280 --> 00:03:11,380
It is also not mentioned that how regularly should they be rotated and so on.
37
00:03:11,870 --> 00:03:13,950
So it's broad and general in nature.
38
00:03:14,690 --> 00:03:16,630
Let's have a look at password standard.
39
00:03:17,420 --> 00:03:22,580
Now, the password standard can specify things like password should be greater than eight characters
40
00:03:22,580 --> 00:03:25,130
in length and should have two special characters.
41
00:03:25,670 --> 00:03:31,550
Now this standard basically explains more details about passwords must be strong.
42
00:03:32,540 --> 00:03:37,190
So in order to make them strong, we need to make sure that they are greater than a specific length
43
00:03:37,190 --> 00:03:39,470
and then they have special characters, for instance.
44
00:03:40,010 --> 00:03:43,730
The second point is that passwords must be changed every 90 days.
45
00:03:44,120 --> 00:03:50,330
So our policy stated that the passwords should be regularly rotated, but it is now the standard which
46
00:03:50,330 --> 00:03:53,510
is specifying that the rotation should be done every 90 days.
47
00:03:53,510 --> 00:03:55,130
So it's providing more details.
48
00:03:56,360 --> 00:04:01,370
Thirdly, users are responsible for their passwords and in case they believe it has been compromised,
49
00:04:01,370 --> 00:04:03,710
they must immediately contact I.T. security.
50
00:04:03,980 --> 00:04:09,620
Now, this part of the standard explains and provide more details about how users are responsible for
51
00:04:09,620 --> 00:04:14,780
safeguarding their passwords and what are their responsibilities in case they believe their password
52
00:04:14,780 --> 00:04:15,800
has been compromised.
53
00:04:16,890 --> 00:04:22,089
Now, let's have a look at procedures and guidelines which provide specific steps that must be taken.
54
00:04:22,710 --> 00:04:28,500
So, for example, let's consider a password change procedure. So it lists the specific steps that you
55
00:04:28,500 --> 00:04:28,910
need to do.
56
00:04:28,920 --> 00:04:30,830
For example, you need to log into your account.
57
00:04:31,140 --> 00:04:34,430
You need to go to option settings and select change password.
58
00:04:34,770 --> 00:04:38,640
Then you have to enter the new password along with confirmation and click submit.
59
00:04:39,360 --> 00:04:44,370
Now, it does seem that these are very simple steps and, you know, people can actually do them on
60
00:04:44,370 --> 00:04:44,970
their own.
61
00:04:45,660 --> 00:04:50,490
But it is always nice to provide a standard set of steps in order to avoid confusion.
62
00:04:50,940 --> 00:04:55,690
Now, this is a simple example, but in some instances, for example, addressing a security breach,
63
00:04:55,830 --> 00:04:57,120
things can get out of hand
64
00:04:57,120 --> 00:05:02,970
if we don't have a streamlined set of procedures. Now password guidelines could be something along the
65
00:05:02,970 --> 00:05:07,260
lines of select a phrase as password as it is easy to remember and strong.
66
00:05:07,710 --> 00:05:13,140
And this is true because if you select a sentence or phrase as password, the sheer length of that is
67
00:05:13,140 --> 00:05:18,120
going to make the password very strong and almost impossible to attack through brute force.
68
00:05:19,820 --> 00:05:23,210
So as we saw policies that provide overall direction.
69
00:05:24,630 --> 00:05:30,420
And then we have standards which basically allow us to explain policies in more detail, and then we
70
00:05:30,420 --> 00:05:33,750
have procedures which lists specific steps that you need to take.
71
00:05:36,270 --> 00:05:42,210
Designing effective information security policies is a difficult task and there are a number of challenges
72
00:05:42,210 --> 00:05:43,440
which must be addressed.
73
00:05:43,800 --> 00:05:48,780
Let's have a look at some of the key things that you must take into consideration if you want to design
74
00:05:48,780 --> 00:05:50,920
an effective information security policy.
75
00:05:51,480 --> 00:05:59,970
So the first one is risks. You should always clearly identify risks, their possibility of occurrence and
76
00:05:59,970 --> 00:06:00,960
prioritize them.
77
00:06:02,310 --> 00:06:07,350
So the key danger here is that if you miss the risk, especially one that is likely to materialize,
78
00:06:07,680 --> 00:06:10,770
then your information security policy would have a serious flaw.
79
00:06:12,560 --> 00:06:19,340
So next are legal and regulatory requirements. So every industry has its own set of legal and regulatory
80
00:06:19,340 --> 00:06:24,920
compliance requirements, and when designing your information security policies, those requirements
81
00:06:24,920 --> 00:06:26,450
must be properly addressed.
82
00:06:28,560 --> 00:06:35,250
Any information security policy without teeth is pretty much useless, so your policy should clearly
83
00:06:35,250 --> 00:06:41,670
identify instances which are considered as violations and the penalties associated with those, and
84
00:06:41,670 --> 00:06:44,880
then you should also make sure that those penalties are enforced.
85
00:06:47,430 --> 00:06:52,950
You should always take people on board, especially the staff, which would be abiding by your security
86
00:06:52,950 --> 00:06:54,550
policy day in and day out.
87
00:06:54,930 --> 00:07:01,320
They can even help streamline the policy and they can sometimes identify areas or issues that might
88
00:07:01,320 --> 00:07:02,330
have been overlooked.
89
00:07:05,530 --> 00:07:10,540
You can have the best information security policy in the world, but if your employees are not properly
90
00:07:10,540 --> 00:07:14,830
trained on how to implement it, then it's pretty much useless.
91
00:07:15,160 --> 00:07:21,250
So you should always make sure that you conduct periodic training workshops in which you share the information
92
00:07:21,250 --> 00:07:24,940
security policy rules and make your employees aware of them.
93
00:07:25,720 --> 00:07:31,480
Finally, you should always have management support and the support should not be verbal
94
00:07:31,480 --> 00:07:33,940
be written and it needs to be visible.
95
00:07:36,140 --> 00:07:42,590
So if the employees, they see senior management owning a security policy and recommending it, then they
96
00:07:42,590 --> 00:07:44,020
are more likely to follow it.
97
00:07:45,500 --> 00:07:46,910
So this concludes our lecture.
98
00:07:46,940 --> 00:07:48,220
I'll see you in the next one.
10984
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.