 Hi there. My name is Ken Mayer, and I'm going to be your instructor on this course. Now I've been involved in the information technology sector since the very early 80s. I've worked on a lot of different platforms and devices, starting with mainframes, with systems programming, moving on into the world of the enterprise with Novel Networks, Microsoft Networks, working with Microsoft Networks from Windows NT4 all the way through the 2008. A lot of that dealing with security issues, with coming up with policies about access and ways to harden your servers. I worked in the network infrastructure, the routing and switching with large corporations like Juniper and Cisco. Also working with their security devices through the use of firewalls, through deep hack inspection, intrusion detection systems, in monitoring systems to determine or look for signs of attacks and vulnerabilities. I've worked in the world of ethical hacking, doing a lot of jobs in penetration testing and understanding the purpose of audits. And through the use of my consulting and working with a lot of different companies, including almost every major internet service provider around the world, I've had the opportunity to see a lot of different security programs, a lot of ways in which these policies and procedures and standards have been created. And I hope to be able to use that experience to share with you what it takes to have a good security management program. Now this domain is entitled the information security governance. And the goal of the domain is to give us an overview of what it takes to go from the very beginning, the initial planning statements, the actual development of a security governance program, through its implementation, its management, and meeting your objectives that need to be in alignment with the actual business objectives. You'll see as a recurring theme through much of this course that the goal of security governance still has to be able to keep the business doing what makes it profitable. So business objectives are also going to be a key factor. Now remember that we're giving you an kind of an overview of what is involved in the field of security governance with some insights of what we would be looking for and what pitfalls you might come across while creating this program and making sure that it's as thorough of a program as we can make. We're going to talk about information security governance as an overview kind of getting that nice big picture. Now when we think about what information is we can define it as data that is endowed with meaning and purpose. And I love these fancy phrases but really that's what it is. We are seeing more and more of our businesses relying on the data that they store. In fact data or if you want to think of it as information has become a very important part of all of our lives. It's almost an indispensable component of doing actual business. You know in the transferring of funds and the transferring of products of you know flying an airplane if today we no longer seem to have that third person that was designed to with a charting course and making sure you got to where you needed to that's all coming through as business related. Now for some companies the information might actually be their business. You know if you take Google or eBay Microsoft and many other companies you think about it what they are producing is the storage and availability of information whether it's through searching websites for looking for products to buy from other people in the auction capability or your operating systems and other supporting software. Now all of the information today is really nothing more than blocks of information that are stored on hard drives or solid state drives but they are just a bunch of ones and zeros. And as I said the information we see today has become very pervasive in society and business. We have people today that are probably talking to people around the world more frequently than their neighbors certainly with the businesses as far as the information trade secrets copyrights information about their customers the financials all being stored electronically. In fact the dependence of information is higher today than it's ever been. Just recently there was a story about an airline that had a small power outage to their network systems grounding hundreds of flights because apparently they didn't know how to manually board people onto the airplane and check them off a list that they presented their ticket or boarding pass and couldn't get the computers working to get the flights or I guess basically the flight plans filed or created. So really the dependence of information is just as something we haven't seen at least in my lifetime. I remember starting up as a young kid going into a bank and having a ledger statement that they filled out and at some point it was reconciled you know knowing that if I made a deposit in one branch that it might be until next week when that deposit is available for me at a different branch that they actually know about it. So it really is it's really good the way in which information works for us today but our dependence on it is very crucial. Now you could think of it as information being a resource that's now equal in the importance of your traditional land labor and capital. Many companies like I mentioned Google as an example is a business that everybody utilizes well maybe not everybody but a lot of people utilize but it really outside of where the people who work at the company has no brick and mortar type of face front no building or branch that you walk into. So really that's kind of giving you an idea of how important information is in all of our lives in all of our enterprises. Now the Gardner group has estimated that organizations are going to deal with more than 30 times the information than they do today and that's going to be in the next decade. Now if you consider the glaring vulnerabilities and the perpetual crisis mode activities this might not be as reassuring as it sounds when you already think about how dependent we are on information and how vulnerable a lot of information can be and how we have to respond to any breaches of our security you can imagine that it sounds very scary. I'm thinking of you know what would happen with GPS going down if somebody interrupted the communications. I mean granted that just affects me because I travel a lot I'd have to go back to the old days of finding a map and figuring out where I was you know and that's just one little itty bitty piece of this entire process of saying wow it's just crazy right financially my bank loses customer records that's going to affect me no matter where I am so that's a part of why information security governance is very important to us we have to be able to find a way to reduce these types of risks. Now our goal then is to gain adequate protection for our information resources and the issue should be raised regarding the critical governance functions that help us oversee this as a program to help us get to those objectives which is our security program. Now until recently the major focus and security has been trying to protect IT systems that store the information rather than the information itself. Now I know that sounds kind of unusual but right now if you think about having a storage area network that's or a mainframe that's consisting of all of your database of information we've been trying to protect that system right we try to protect that system in not having redundancy in hard drives redundancy in power supplies backup power supplies backup means of power grids you know protecting that system and of course the information that we have on it but you know that information is you know really kind of the resting point we still have to worry about the protection of the communications path of the integrity of the data that is being entered itself if it's even correct information and I we just kind of go on and on and on but that just means that our focus at one point was really just on the storage. Now information security is going to take a larger view than just even the content the information or the knowledge that's based on it now we have to start looking at protecting the information in all of the states of it being processed again that's from the gathering of the information the entering of information the transmission of information as well as the storage. Now there are enormous benefits of information and also with that we see new risks as well as sometimes a confusing patchwork of existing laws of regulation that we have to deal with in trying to work with our information. Now the information security governance is really going to start off as a responsibility of the board of directors and executive management. In the long run they are the ones who are liable for the information or the loss of the information and we consider them to be the owners of the information. In order for you to have an effective security governance you have to have their support we call that the process of having support from the top down it needs to be an integral and transparent part of your enterprise governance. Now your information as we said has a lot of meanings another way of describing it is data endowed with meaning and purpose we've said that. Now others have stated that knowledge has become sometimes the sole factor for productivity sidelining both capital and labor and it goes without saying that knowledge is becoming one of the most important assets that if you didn't have it the ability to conduct business would be impossible you couldn't do it. Think about online companies that are booksellers they have to have a lot of different information knowledge exchanges you know just for you to have a single transaction you have to be able to have connectivity with your bank to show they have available funds there has to be a transfer that of those funds electronically to the sellers bank they have to communicate with the inventory with shipping you know with ordering replacements after they ship these products out to you and all of that is just on a single transaction that just means that without this kind of information without the ability for these communications they just wouldn't be able to do any type of business at all. Now that we see that there are a lot of legal and regulatory requirements and good information security governance is simply going to be a way of called doing good business. Now the benefits of good management can include a lot of positive aspects number one we can plan for any increase of civil or legal liability. Now what does that mean? Well you know I think about recently one of these companies that have games that kids play in the hooked up to the tv the game consoles and they're doing a lot of online type of playing and all of their customer information was stolen from out I understand that could be credit cards the names and addresses of people that now have millions of potential civil complaints about having identity theft of the crisis of just going through and getting a replacement credit card of wondering about any charges being made that they have to fight off and you know all of that just you think about it that suddenly means that that company may have millions of lawsuits they certainly have some legal liability about how well they store that information so that's going to continue to increase because a lot of these databases that we have are gathering more and more information which means if it's compromised brings an increase in liability. Now we also know that when we talk about liability civil and legal doesn't mean just lawsuits but criminal actions as well you know we saw a large I guess I will say and runs since they're out of business some of those people went through legal liability legal liability by the way at the top starting with the CEO and all of the rest of executive management for the way in which they were basically cooking the books about their financials that again was a way of there destroying or altering information things that should have been protected and caused a legal liability including jail and prison time. Now the other benefit is that we can have good or try to assure good policy compliance that means if we have policies and those policies are in place for the purpose of knowing what our goals are for security but we don't have good management to make sure that we number one communicate train make people aware and of course add that top-down effect then how do we really get good policy compliance as an example if you have a policy that says that there's an acceptable use of how I'm going to use email and I start using your email servers to send spam to people across the world or maybe enter into inappropriate conversations the use of it to share company or corporate secrets but you don't have any actual enforcement of these policies that nobody at the top can really say if you violate it you're going to be terminated you may even be criminally prosecuted then how are you going to really assure that I'm going to be compliant with that policy if there's no enforcement action not realize I'm making this countless negative connotation but that's you know one aspect of policy compliance the other is just making sure I know and understand how that policy applies to me all of that is a part of having good management that also means that we can reduce hopefully with good policy or good governance to reduce the uncertainty of business operations to be able to optimize the allocations of our limited security resources I realize that most of us don't have all the money in the world to buy every single type of security assurance control that we could put in there and try to you know protect everything and make it a hundred percent secure at some point I don't want to spend a lot of money when there's not a lot of return so and I use as an example something way off the board with with information but recently I went down to an electronics store to buy a new headset for my computer and it was a very cheap one it was four dollars and ninety nine cents and when I was at the checkout stand they asked if I wanted to buy the extra insurance policy replacement policy in a way it was kind of a control you know trying to balance the risk and even though my headset was five bucks four dollars and ninety nine cents I was curious I was like okay how much is this replacement policy and I said it was simply six dollars and ninety nine cents and it would be good for two years and I'm thinking to myself at that rate I could have just bought my own backup headset so not everything is a good investment I guess is what I'm trying to say in security trying to put it into a kind of a different little scenario so good information security governance should as I said help us optimize those resources it also should help ensure that business decisions are going to be made on that information now that's an important aspect right we want to make sure that when we're looking at our governing set of security governance that our decisions are based on that management of what our programs and policy is going to be we also can see the improving of the competence in the interactions with trading partners now that's also a very important aspect because we expect to see the same from them as an example of my company's job is to take credit cards from customers for the purchase of goods or services I'm going to have to communicate with a credit card processing center they generally have a set of of policies that we have to adhere to you know security audits and make making certain levels of protections so that they're willing to open up their networks for communications with us and having good against security governance is going to help make that interaction better it should also help improve trust and customer relationships now what I mean by that is that if you know I was that company who had the game console with all those customers information was taken I don't see a lot of trust that they're going to want to come back and put their new information into that same database and they may have customers that might not return but if we show a history of doing good with our security governance then we're going to get an ongoing feeling of trust and hopefully better customer relationships that should mean better for the company in the bottom line and of course that also is going to help us in safeguarding the company's reputation because again our reputation is very important without a good reputation you don't see a lot of repeat business or even new business now when we talk about the outcomes of our security governance really information security governance is designed to include the elements that are required to be able to improve the assurance and the direction of the security posture of the organization with those elements in place management should be confident that there's at least adequate and effective information security to protect those assets again for all the reasons we want good governance we don't want to worry about losing information about losing our reputation about civil or legal liabilities and the rest of it now the objectives of information security really is to develop and implement and manage the security program to be able to cover some of the following basic outcomes of security governance some of those are things like strategic alignment which is just the alignment of your information security to the business strategy now again if my company is about making widgets that's what my security policy has to do is help in supporting the company to being better at making widgets because that's what keeps the company in business not necessarily how well you store the information or how well you transmit the information or keep trade secrets those are important aspects don't get me wrong but that's not necessarily the profit arm of the company that keeps the company thriving and growing so we can't sometimes be so secure that we're stifling or affecting the actual goal of the business strategy rather again we should be supporting it and trying to make the objectives align with each other now with that strategic alignment hopefully that means your security line requirements are going to be thoroughly developed to give guidance on what should be done that your security solutions will fit into the culture the governance style the technology and the structure of the organization and that again that you're aligned with the enterprise strategy and that the known threats vulnerabilities and risk profile are appropriately looked at and hopefully dealt with or contained one of the other outcomes of your security governance is risk management now risk management is really the foundation for a lot of the policies and the security programs that you're going to be creating and we basically want to use appropriate measures to find ways to reduce risk and the potential impacts on information now notice I said the reduction and not the complete elimination again we cannot completely eliminate risk but we can try to reduce that risk to an acceptable level we'll get to talk more about that as we move into the actual development process but in order to have risk management you need to first of all understand what are the threats and vulnerabilities and if you don't know what the threats or the vulnerabilities are then how do you really even know there's risk and that's an important aspect and remember that even though we're talking about information security a lot of us begin to think about hackers and firewalls and things like that but you know other threats to our information to our security can come from natural disasters from the failure of equipment to you know theft and maybe even accidental acts actions upon the parts of our employees that just means we need to really understand what those threats and vulnerabilities are so that we can appropriately manage that risk we also need to know what the risk exposure and consequences would be of compromise in other words if there was a fire in that building what is that exposure what are the the powers of b that look historically at the structures the types of fires what would they tell you would be the amount of damage would the entire building be a loss through you know would there be maybe just some parts of the buildings that are uninhabitable you know we need to understand what that exposure is and of course what does that mean to us what's the consequence of that compromise now we need to have an awareness of risk and have really a series of priorities because every aspect of information can be at risk but some information obviously is more important than others and some loss of information you know could be the type of loss that is going to affect the dependencies of many other processes and can have a really large cascading effect so we really want to look at the prioritizations and how they interact that goal of risk management of course as I said is to reduce risk to an acceptable level and risk acceptance really is based on an understanding of the potential consequences of having that residual risk and that's kind of the goal is we're trying to reduce it down to that acceptable level and be able to say okay now that we've got a lot of that taken care of what we have left may be more manageable now as we still talk about the outcomes of having information security governance one of the other outcomes is a value delivery which is the optimizing your security investments to help support again the business objectives that means we want to include a set of security practices or baseline security requirements now a baseline and a lot of this you have to remember again as we introduce this domain is an overview of what we're going to be seeing in more detail but a baseline can also be thought of as that minimum security that we need now that's a part of the security practices understanding those minimums doesn't mean we have to strive for the minimum but it might be a good baseline where we can grow from now prioritizing the efforts to the areas with the greatest impact and the best the best business benefit that's another part of the value delivery again there are going to be some assets that are more important to us and we need to think about those usually at the top of the list of trying to take out security governance rather than worrying about whether or not people are taking pencils from the closets in our office using a standards based solution as another value added especially standards based because that helps us with interoperability between different vendors or even with different organizations having complete solutions covering the process as well as the technology of the business organization and knowing that security is thought of as a process and not just a single event your resource management is another outcome of your information security governance and that is using the information security knowledge and infrastructure in a way that's efficient and effective and it is important to understand because resources is not more than not just monetary it's also on personnel of the environment of the culture of the company and it's important that we understand what our resources are manage them well to get the most out of them we want to make sure that basically you know that the knowledge is captured and available now it's one of the biggest things of our resource management is that the knowledge is the data we want to be make sure that we have it and that it is not you know so unavailable or locked up under security that it's not useful we can use the resources to help us maybe document security processes and practices to understand how those resources are being used to be able to create a security architecture to define and utilize the infrastructure resources to the best of their ability another outcome is the performance measurement now performance measurement is an important part of this monitoring reporting on information security processes number one to make sure that your objectives are being achieved now having a set of metrics should also be aligned with with the objectives in other words they need to be meaningful metrics or parts of the security process that we're monitoring we want to be able to find shortcomings to get feedback to so we can see process improvement and of course we may have to consider having external audits to help confirm what we would call our security assertions in other words if we think that we have a firewall that's doing what it's supposed to be doing having an external audit can actually let us know if the logic of our security policies are working does that firewall actually block the traffic we asserted that it would does it stop the type of attacks or mitigate them the way we assert that they would a lot of that comes through independent testing one of the last outcomes that we look for in information security is the integration now integration means that we are going to integrate all relevance assurance factors to make sure that the processes are basically operating as they are intended now what does that mean integration well that means that we need to look at all of the organizational assurance functions when you think about the business it as a whole it's not just information technology I mean sure that's our kind of our focus with information security but you know we are supporting other business units and they may have their own set of policies and with regards to information how they retrieve it how they enter it how they interact with with it and so that's another part of the of the integration is to make sure that it's pretty much working with all of the organizational assurance functions of the different business units that means we want to coordinate the assurance functions for complete security I don't necessarily need to have you know you do your security I do my security because you know without that integration there could be gaps or lapses in between those boundaries of what you're doing what I'm doing rather than what can we do together to come up with a better solution that means we should have some overlapping roles and responsibilities and we want to look at it as a systems approach to security planning the development and the management rather than again just doing that kind of an isolationist point of view