Alignment of Security Function MindMap (1 of 3) | CISSP Domain 1

hey I'm Rob Witcher from destination certification and I'm here to help you pass the cissp exam we're going to go through a review of the major topics related to the alignment of the security function to business goals and objectives this is the first video in our complete set of mindmap videos this mind map series is meant to help you review the key topics you need to know to confidently pass the cisp exam there are two other mindmap videos for domain one and a total of 30 of these mindmap videos I've included links to all the

other mindmap videos in the description [Music] below before I launch into this first mind map I'd like to give you a critical bit of advice that will make it massively easier for you to study for and confidently pass the cissp exam you need to have the right mindset in your studies and especially on the exam cisp is a management level certification so you need to be really careful not to think too technically you need to think like a CEO I'll explain this critical mindset more at the end of this video all right so starting high

level and thinking like a CEO would let's launch into this first mind map and Define corporate governance corporate governance is the system of rules practices and processes by which an organization is directed and controlled to achieve its goals and objectives that are typically focused on increasing the value of the organization so fundamentally corporate governance is about ensuring an organization has clear goals and objectives and everyone in the company is aligned towards achieving those goals and objectives security governance then is the system of rules practices and processes by which the security function is directed and controlled

a crucial part of security governance is aligning the security function to the overall organizational goals and objectives so that security can help the business achieve its goals and objectives so that security is an enabler for the business this is something crucial that we always need to keep in mind as Security Professionals our job is to help the business achieve its goals and objectives to be an enabler for the business we don't want to be the shop of no we wouldn't always we shouldn't always be telling the business no you can't do that it's too risky

we should ideally be saying something more like here's the risk and here's how we can help you mitigate those risks so that the organization can achieve its goals and objectives so now you know the focus of security to help the organization achieve its goals and objectives to be an enabler to the business to help increase the value of the organization and not just be a cost center a critical part of governance is having clearly defined roles and responsibilities so people know exactly what they're supposed to be doing what they're accountable for and what they're responsible

for let's spend a few minutes here on these terms accountability and responsibility these are terms often used interchangeably but there is actually a massive difference between them that is very important to understand from a security perspective let's start by defining accountability accountability means the ownership of something accountability means the ultimate answerability blameworthiness and liability put simply accountability is where the buck stops the throat that gets chok if something goes wrong and really crucially accountability can never ever be delegated the owner of an asset is accountable for the security of their asset and they can never

delegate that accountability to a subordinate contractor or service provider or anyone else they can't delegate their accountability to anyone what can be delegated is responsibility the responsible party will Implement and enforce controls based on the direction of those that are accountable a perfect example is a public cloud service provider the CSP will be responsible for storing processing and securing a customer's data but ultimately the customer remains accountable for the security of their data the customer cannot Outsource the accountability for protecting their data but they can delegate the responsibility the concept of accountability versus responsibility is

going to come up again and again and again it's crucial to understand the difference du is the responsible protection of assets based on the goals and objectives of the organization due diligence is the demonstrated ability to prove due care to stakeholders upper management Regulators customers shareholders Etc there's an interesting bit of security history related to import export controls I'm wildly oversimplifying here but essentially during the 1970s and 80s some amazing advancements were happening in cryptography super secure new algorithms like Dez were being created and whole new amazing techniques like asymmetric cryptography were invented these new

algorithms at and techniques essentially allowed data to be encrypted such that no one in the world could decrypt it including organizations like the NSA who wanted to be able to decrypt and read anyone's data I need to stop picking on the NSA here they might be listening so laws were put in place to restrict the export of certain cryptographic algorithms and systems to make sure that they didn't get in the hands of s Soviets these are serious laws and violations could see you thrown in federal prison so that's the history of it the two major

export laws you need to know about are itar and E they both restrict the manufacturing sales and distribution of specific Technologies products software and services these laws restrict the export of certain cryptographic systems itar the international traffic in arms focuses on the export of Defense articles things like missiles and satellites technical data and defense Services keyword there related to itar is that it focuses on defense related items e the export Administration regulations regulates dual use items not covered by itar but also still applies to some defense related items the wasar arrangement is very different from

itar and E in importantly the wasar arrangement is voluntary not a strict law and it's also a multinational agreement between 42 signing members 42 countries the wasar arrangement is a voluntary export control regime where signatories exchange information on transfers of Conventional Weapons and dual use goods and Technologies now another type of law that is very relevant today trans border data flow laws also commonly referred to as data residency laws or data localization laws these laws are focused on restricting or preventing the flow of data across physical borders for example many countries require that the personal

data collected from their citizens be stored on systems within their country privacy is not a massive topic on the cisp exam but it is large enough to Warrant its own mindmap so for now I'll simply say you cannot achieve privacy without security and we'll talk more about privacy in the next mindmap video ethics are very important to address as part of your security program organizations want their employees to act ethically and consistently the challenge is that each of us have very different ethical values so for an organization to have consistent ethics across all their employees

they must codify their ex ethics write them down in a policy policies are essentially corporate laws we'll talk about that more in a moment what are ethics based on a good answer is that ethics are based on doing nothing that is harmful to anyone else now this part is critical to memorize for the exam the ISC squared code of ethics ISC squared takes this very seriously it is a requirement of you becoming a cissp that you agree to abide by this code of ethics ISC squar wants to make sure that you know this code of

ethics and how to interpret them so you're going to see at least a question or two about these on the cisp exam I'm going to read them out here memorize the wording and the order they are meant to be acted upon in order number one protect Society the common good necessary public trust and confidence and the infrastructure number two act honorably honestly justly responsibly and legally number three provide diligent and competent service to principals number four advance and protect the profession let's now get into an important discussion of policies and as I mentioned earlier policies

are essentially corporate laws policies are how we direct Behavior within an organization policies tell people what they must do the overarching security policy defines an organization's overall approach to security the overarching security policy is provided and supported by the board of directors and Senior Management the policy defines the goals and objectives for the security function and ensures security is aligned with the overall business goals and objetives functional security policies on the other hand are more detailed policies that address specific security requirements and practices such as Access Control encryption instant response and data backups Etc an

organization will have a functional policy for each of these and many more good policies are simple easy to read documents that state simple rules such as every laptop must have malware protection policies are corporate laws policies tell people what they must do standards define specific mandatory hardware and software mechanisms for example an organization standard might be that Norton Antivirus is required is the required antimalware solution for all Windows laptops procedures are step-by-step Mandatory Actions for example an organ ganization could have a procedure for how to install Norton AntiVirus on Windows laptops the exact steps must

be followed to correctly install and configure the antimalware software procedures are essentially a stepbystep set of instructions actions for how to do something baselines are minimum levels of security and Define mandatory configurations for security mechanisms and products for example an organization could have a configuration Baseline for Windows laptops the configuration Baseline is essentially a checklist of all the things that need to be done to correctly configure and lock down a laptop before it starts being used for example the configuration Baseline would require that at a minimum the host based firewall be enabled certain patches be

installed the Norton Antivirus be installed and configured correctly by the way I keep mentioning Norton here in the hopes of getting sponsored so if you're listening to um all right guidelin guidelines are recommended actions recommended listen carefully here guidelines are not mandatory they're what someone should do not what someone must do guidelines are useful when an organization knows they should be doing something but they haven't fully implemented it yet so for example the organization might want to have multiactor authentication for all administrative accounts but if there are systems that don't support that yet the organization

is setting itself up for failure if they create a mandatory requirement for multiactor authentication for admin access to all systems instead the organization can create a guideline it would be good to have MFA for admin access to all systems but it's not a requirement yet risk management is a super important topic risk management is a rically important tool that we use as Security Professionals to help us F out how to best protect the assets of the organization with the limited resources that we have there's a mind map dedicated to risk management and I'm mentioning it

here as risk management is a critical part of security governance procurement security must be involved in the procurement process right from the start of the process this starts with understanding and validating the business requirements for whatever is being procured if it's a service being procured then the security requirements are defined in the SLR the service level requirements document the requirements documented in the SLR will be used in the procurement process to evaluate how well each service meets the security requirements once a particular service provider is selected then the requirements listed in the SLR will be

translated to a new document the SLA service level agreement the SLA is an addendum to the legally binding contract making the SLA legally binding as well the SLA describes the services to be provided the service targets specific responsibilities Etc partically the SLA is used to clearly communicate requirements to a service provider to say hey service provider I need you to make sure you're doing this that and the other thing going back to what I mentioned earlier accountability can never be outsourced but responsibilities can so the SLA is a Cru crucial document that the owner of

an asset uses to make sure the service provider clearly understands their responsibilities who is responsible for security the answer everyone this is absolutely true everyone is responsible for security but it's not good enough to just say hey everyone's responsible for security everyone needs to know what specifically they're responsible for from a security perspective and how they're supposed to do whatever it is they're responsible for and that's why we have the last little piece to talk about here awareness training and education I'm going to give you succinct definitions of each awareness is an informal process of

communication such as emails posters Etc with the goal of changing cultural sensitivity to a given topic or issue for example making employees aware of this thing called fishing and that they should be careful of what links they click on in emails that's a good example of awareness training is semi-formal and provides specific skills necessary to perform something related to security for example if a company buys a bunch of Cisco firewalls then some employees are going to need to be trained on how to deploy and manage Cisco firewalls this is training specific skills finally education is

about teaching fundamental concepts our cisp master class is a perfect example of Education we teach folks the fundamental concepts of security so they can be better security professionals and pass the CIS exam all right that is an overview of security governance within domain one covering the most critical Concepts you need to know for the exam as an added bonus in this first mindmap video I want to share with you the most important advice I can give you for passing the cisp exam you need to approach your studies and especially the exam with the right mindset

as I said the cisp is a management level certification if you answer the questions on the ex exam with a technical mindset you will very likely fail unfortunately so how should you approach your studies and most importantly the exam by thinking like a CEO I made a video on this mindset of thinking like a CEO which you can watch for free by clicking on the link in the description below I would highly recommend that you take a few minutes to watch the video we've trained and guided thousands of people just like yourself to confidently pass

the cisp exam over the last 20 plus years and we've received hundreds of emails over the years from our students saying things like thinking like a CEO worked it was the single biggest factor that held me pass the exam so that's why I'm sharing this with you I know it works and it will help you pass the cisp exam so check out our free think like a CEO video link is in the description below all the best in your [Music] studies