All language subtitles for 007 Security Governance Policies, Standards and Procedures_en

af Afrikaans
sq Albanian
am Amharic
ar Arabic
hy Armenian
az Azerbaijani
eu Basque
be Belarusian
bn Bengali
bs Bosnian
bg Bulgarian
ca Catalan
ceb Cebuano
ny Chichewa
zh-CN Chinese (Simplified)
zh-TW Chinese (Traditional)
co Corsican
hr Croatian
cs Czech
da Danish
nl Dutch
en English
eo Esperanto
et Estonian
tl Filipino
fi Finnish
fr French
fy Frisian
gl Galician
ka Georgian
de German
el Greek
gu Gujarati
ht Haitian Creole
ha Hausa
haw Hawaiian
iw Hebrew
hi Hindi
hmn Hmong
hu Hungarian
is Icelandic
ig Igbo
id Indonesian
ga Irish
it Italian
ja Japanese
jw Javanese
kn Kannada
kk Kazakh
km Khmer
ko Korean
ku Kurdish (Kurmanji)
ky Kyrgyz
lo Lao
la Latin
lv Latvian
lt Lithuanian
lb Luxembourgish
mk Macedonian
mg Malagasy
ms Malay
ml Malayalam
mt Maltese
mi Maori
mr Marathi
mn Mongolian
my Myanmar (Burmese)
ne Nepali
no Norwegian
ps Pashto
fa Persian
pl Polish
pt Portuguese
pa Punjabi
ro Romanian
ru Russian
sm Samoan
gd Scots Gaelic
sr Serbian
st Sesotho
sn Shona
sd Sindhi
si Sinhala
sk Slovak
sl Slovenian
so Somali
es Spanish Download
su Sundanese
sw Swahili
sv Swedish
tg Tajik
ta Tamil
te Telugu
th Thai
tr Turkish
uk Ukrainian
ur Urdu
uz Uzbek
vi Vietnamese
cy Welsh
xh Xhosa
yi Yiddish
yo Yoruba
zu Zulu
or Odia (Oriya)
rw Kinyarwanda
tk Turkmen
tt Tatar
ug Uyghur
Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,330 --> 00:00:06,689 We are now going to discuss some key components of security governance. These components are important 2 00:00:06,689 --> 00:00:13,860 in order to ensure a decent and secure security posture of organisations. Mainly, we will be discussing 3 00:00:13,860 --> 00:00:16,390 policies, standards and procedures. 4 00:00:16,860 --> 00:00:21,590 We're going to have a look at what do these entail and what are the differences between them. 5 00:00:23,570 --> 00:00:27,680 If you look at the security governance pyramid, we have policies at the top. 6 00:00:28,560 --> 00:00:35,040 Now policies are organisation wide, they are high level and broad natured in scope. Usually policies 7 00:00:35,040 --> 00:00:42,270 are defined for long term and they span several years typically. Policies defined responsibilities both 8 00:00:42,270 --> 00:00:44,130 for management and the users. 9 00:00:45,010 --> 00:00:49,120 Now policies are few in number, they're high level and broad-natured. 10 00:00:50,660 --> 00:00:56,690 But then we have standards which highlight the rules which are needed to achieve the intent of the policy. 11 00:00:57,440 --> 00:01:00,500 So standards would be more in number compared to policies. 12 00:01:02,100 --> 00:01:08,460 And just below standards, we have procedures which are basically specific steps needed to realize the 13 00:01:08,460 --> 00:01:15,510 rules specified by the standard. Now the basic aim of procedures, is to train employees and ensure 14 00:01:15,510 --> 00:01:19,030 consistency in security related business processes. 15 00:01:19,560 --> 00:01:25,110 What it means is that if you have a standard operating procedure and you have documents which lists 16 00:01:25,120 --> 00:01:31,830 the specific steps needed to be taken in a particular situation, then it doesn't matter which employee 17 00:01:31,830 --> 00:01:33,350 is implementing those steps. 18 00:01:34,020 --> 00:01:38,310 You'll have a consistency of results and a consistency of process. 19 00:01:39,150 --> 00:01:44,580 This is very important because if you don't have standard operating procedures, then different employees 20 00:01:44,580 --> 00:01:46,710 are going to take different routes. 21 00:01:47,100 --> 00:01:51,720 They may take different steps, which may lead to different results. So consider 22 00:01:51,720 --> 00:01:55,680 for example, there is a phishing attack on your organization that has been detected. 23 00:01:56,100 --> 00:02:02,040 If you have proper procedures, how to address that phishing attack starting from step one to the last 24 00:02:02,040 --> 00:02:07,320 step, then you will be in a better position to ensure the sanctity of your security posture. 25 00:02:08,610 --> 00:02:15,300 We also have guidelines which basically reside at the same level of the pyramid as procedures. Guidelines 26 00:02:15,300 --> 00:02:21,180 are optional recommendations, which means that they are suggested best practices, but not mandatory. 27 00:02:24,790 --> 00:02:31,510 In order to have a clear understanding about what policy standards and procedures entail, what are 28 00:02:31,510 --> 00:02:37,210 the differences between them and how to structure them, we can take the example of passwords and we'll 29 00:02:37,210 --> 00:02:40,360 design the policy, the standard and procedures. 30 00:02:41,990 --> 00:02:48,530 So the password policy states that passports must be strong, they should be regularly rotated and users 31 00:02:48,530 --> 00:02:51,000 are responsible for safeguarding their passwords. 32 00:02:51,650 --> 00:02:57,500 If you notice, the policy is quite broad and generic in nature and specific things are not mentioned. 33 00:02:57,860 --> 00:03:00,230 So, for example, they've said passwords must be strong. 34 00:03:00,260 --> 00:03:01,750 Now, this is a general statement. 35 00:03:02,000 --> 00:03:06,520 They have not specified how strong or how to select strong passwords. 36 00:03:07,280 --> 00:03:11,380 It is also not mentioned that how regularly should they be rotated and so on. 37 00:03:11,870 --> 00:03:13,950 So it's broad and general in nature. 38 00:03:14,690 --> 00:03:16,630 Let's have a look at password standard. 39 00:03:17,420 --> 00:03:22,580 Now, the password standard can specify things like password should be greater than eight characters 40 00:03:22,580 --> 00:03:25,130 in length and should have two special characters. 41 00:03:25,670 --> 00:03:31,550 Now this standard basically explains more details about passwords must be strong. 42 00:03:32,540 --> 00:03:37,190 So in order to make them strong, we need to make sure that they are greater than a specific length 43 00:03:37,190 --> 00:03:39,470 and then they have special characters, for instance. 44 00:03:40,010 --> 00:03:43,730 The second point is that passwords must be changed every 90 days. 45 00:03:44,120 --> 00:03:50,330 So our policy stated that the passwords should be regularly rotated, but it is now the standard which 46 00:03:50,330 --> 00:03:53,510 is specifying that the rotation should be done every 90 days. 47 00:03:53,510 --> 00:03:55,130 So it's providing more details. 48 00:03:56,360 --> 00:04:01,370 Thirdly, users are responsible for their passwords and in case they believe it has been compromised, 49 00:04:01,370 --> 00:04:03,710 they must immediately contact I.T. security. 50 00:04:03,980 --> 00:04:09,620 Now, this part of the standard explains and provide more details about how users are responsible for 51 00:04:09,620 --> 00:04:14,780 safeguarding their passwords and what are their responsibilities in case they believe their password 52 00:04:14,780 --> 00:04:15,800 has been compromised. 53 00:04:16,890 --> 00:04:22,089 Now, let's have a look at procedures and guidelines which provide specific steps that must be taken. 54 00:04:22,710 --> 00:04:28,500 So, for example, let's consider a password change procedure. So it lists the specific steps that you 55 00:04:28,500 --> 00:04:28,910 need to do. 56 00:04:28,920 --> 00:04:30,830 For example, you need to log into your account. 57 00:04:31,140 --> 00:04:34,430 You need to go to option settings and select change password. 58 00:04:34,770 --> 00:04:38,640 Then you have to enter the new password along with confirmation and click submit. 59 00:04:39,360 --> 00:04:44,370 Now, it does seem that these are very simple steps and, you know, people can actually do them on 60 00:04:44,370 --> 00:04:44,970 their own. 61 00:04:45,660 --> 00:04:50,490 But it is always nice to provide a standard set of steps in order to avoid confusion. 62 00:04:50,940 --> 00:04:55,690 Now, this is a simple example, but in some instances, for example, addressing a security breach, 63 00:04:55,830 --> 00:04:57,120 things can get out of hand 64 00:04:57,120 --> 00:05:02,970 if we don't have a streamlined set of procedures. Now password guidelines could be something along the 65 00:05:02,970 --> 00:05:07,260 lines of select a phrase as password as it is easy to remember and strong. 66 00:05:07,710 --> 00:05:13,140 And this is true because if you select a sentence or phrase as password, the sheer length of that is 67 00:05:13,140 --> 00:05:18,120 going to make the password very strong and almost impossible to attack through brute force. 68 00:05:19,820 --> 00:05:23,210 So as we saw policies that provide overall direction. 69 00:05:24,630 --> 00:05:30,420 And then we have standards which basically allow us to explain policies in more detail, and then we 70 00:05:30,420 --> 00:05:33,750 have procedures which lists specific steps that you need to take. 71 00:05:36,270 --> 00:05:42,210 Designing effective information security policies is a difficult task and there are a number of challenges 72 00:05:42,210 --> 00:05:43,440 which must be addressed. 73 00:05:43,800 --> 00:05:48,780 Let's have a look at some of the key things that you must take into consideration if you want to design 74 00:05:48,780 --> 00:05:50,920 an effective information security policy. 75 00:05:51,480 --> 00:05:59,970 So the first one is risks. You should always clearly identify risks, their possibility of occurrence and 76 00:05:59,970 --> 00:06:00,960 prioritize them. 77 00:06:02,310 --> 00:06:07,350 So the key danger here is that if you miss the risk, especially one that is likely to materialize, 78 00:06:07,680 --> 00:06:10,770 then your information security policy would have a serious flaw. 79 00:06:12,560 --> 00:06:19,340 So next are legal and regulatory requirements. So every industry has its own set of legal and regulatory 80 00:06:19,340 --> 00:06:24,920 compliance requirements, and when designing your information security policies, those requirements 81 00:06:24,920 --> 00:06:26,450 must be properly addressed. 82 00:06:28,560 --> 00:06:35,250 Any information security policy without teeth is pretty much useless, so your policy should clearly 83 00:06:35,250 --> 00:06:41,670 identify instances which are considered as violations and the penalties associated with those, and 84 00:06:41,670 --> 00:06:44,880 then you should also make sure that those penalties are enforced. 85 00:06:47,430 --> 00:06:52,950 You should always take people on board, especially the staff, which would be abiding by your security 86 00:06:52,950 --> 00:06:54,550 policy day in and day out. 87 00:06:54,930 --> 00:07:01,320 They can even help streamline the policy and they can sometimes identify areas or issues that might 88 00:07:01,320 --> 00:07:02,330 have been overlooked. 89 00:07:05,530 --> 00:07:10,540 You can have the best information security policy in the world, but if your employees are not properly 90 00:07:10,540 --> 00:07:14,830 trained on how to implement it, then it's pretty much useless. 91 00:07:15,160 --> 00:07:21,250 So you should always make sure that you conduct periodic training workshops in which you share the information 92 00:07:21,250 --> 00:07:24,940 security policy rules and make your employees aware of them. 93 00:07:25,720 --> 00:07:31,480 Finally, you should always have management support and the support should not be verbal 94 00:07:31,480 --> 00:07:33,940 be written and it needs to be visible. 95 00:07:36,140 --> 00:07:42,590 So if the employees, they see senior management owning a security policy and recommending it, then they 96 00:07:42,590 --> 00:07:44,020 are more likely to follow it. 97 00:07:45,500 --> 00:07:46,910 So this concludes our lecture. 98 00:07:46,940 --> 00:07:48,220 I'll see you in the next one. 10984

Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.