WEBVTT

1
00:00:00.000 --> 00:00:01.650
In this section of the course,

2
00:00:01.650 --> 00:00:03.900
we are going to discuss Governance.

3
00:00:03.900 --> 00:00:07.530
The Governance section of the course focuses on Domain 1:

4
00:00:07.530 --> 00:00:09.223
Governance, Risk, and Compliance,

5
00:00:09.223 --> 00:00:11.790
specifically Objective 1.1,

6
00:00:11.790 --> 00:00:13.170
which states that given a set

7
00:00:13.170 --> 00:00:15.540
of organizational security requirements,

8
00:00:15.540 --> 00:00:17.070
you must be able to implement

9
00:00:17.070 --> 00:00:19.230
appropriate governance control.

10
00:00:19.230 --> 00:00:22.200
The term governance includes the strategic oversight

11
00:00:22.200 --> 00:00:24.990
and documentation necessary to maintain

12
00:00:24.990 --> 00:00:29.010
and enhance an enterprise organization's security posture.

13
00:00:29.010 --> 00:00:30.930
This includes not only the creation

14
00:00:30.930 --> 00:00:33.480
and administration of a security program,

15
00:00:33.480 --> 00:00:35.730
but also the development of awareness

16
00:00:35.730 --> 00:00:37.110
and training initiatives

17
00:00:37.110 --> 00:00:39.750
to ensure employees are informed and vigilant.

18
00:00:39.750 --> 00:00:42.630
Furthermore, governance frameworks may be used

19
00:00:42.630 --> 00:00:44.610
to align security practices

20
00:00:44.610 --> 00:00:46.440
with organizational goals

21
00:00:46.440 --> 00:00:49.800
while ensuring security measures are effectively implemented

22
00:00:49.800 --> 00:00:53.820
and maintained across all levels of the organization.

23
00:00:53.820 --> 00:00:55.650
As we go through this section,

24
00:00:55.650 --> 00:00:58.380
we will cover many topics related to Governance,

25
00:00:58.380 --> 00:01:01.620
including Security Program Documentation,

26
00:01:01.620 --> 00:01:03.870
Awareness and Training Considerations,

27
00:01:03.870 --> 00:01:05.520
Governance Frameworks,

28
00:01:05.520 --> 00:01:09.240
Governance, Risk, and Compliance or GRC tools,

29
00:01:09.240 --> 00:01:12.750
Management Involvement, Change in Configuration Management,

30
00:01:12.750 --> 00:01:16.740
Staging Considerations, and Communication Considerations.

31
00:01:16.740 --> 00:01:20.280
First, we will look at Security Program Documentation.

32
00:01:20.280 --> 00:01:22.140
Security Program Documentation

33
00:01:22.140 --> 00:01:24.600
includes organizational policies,

34
00:01:24.600 --> 00:01:27.630
procedures, standards, and guidelines.

35
00:01:27.630 --> 00:01:29.910
Policies establish high-level principles

36
00:01:29.910 --> 00:01:32.010
and expectations for security.

37
00:01:32.010 --> 00:01:35.460
Procedures provide detailed step-by-step instructions

38
00:01:35.460 --> 00:01:37.170
for implementing policies.

39
00:01:37.170 --> 00:01:41.010
Standards define specific requirements that must be met.

40
00:01:41.010 --> 00:01:44.040
And guidelines offer recommended practices

41
00:01:44.040 --> 00:01:45.870
to help achieve compliance

42
00:01:45.870 --> 00:01:49.320
and alignment with organizational policies and standards.

43
00:01:49.320 --> 00:01:52.290
Together, these documents ensure consistent

44
00:01:52.290 --> 00:01:54.450
and effective security practices,

45
00:01:54.450 --> 00:01:57.600
enabling secure organizational operations

46
00:01:57.600 --> 00:01:59.430
by coordinating security efforts

47
00:01:59.430 --> 00:02:02.640
with business objectives and regulatory requirements.

48
00:02:02.640 --> 00:02:04.650
Then, we will explore Awareness

49
00:02:04.650 --> 00:02:06.240
and Training Considerations.

50
00:02:06.240 --> 00:02:08.610
As a part of security program management,

51
00:02:08.610 --> 00:02:10.560
awareness and training considerations

52
00:02:10.560 --> 00:02:13.500
include overall employee situational awareness

53
00:02:13.500 --> 00:02:15.480
to include physical security,

54
00:02:15.480 --> 00:02:17.280
awareness of frequent attack vectors.

55
00:02:17.280 --> 00:02:19.301
such as phishing and social engineering,

56
00:02:19.301 --> 00:02:21.900
and a consideration for privacy

57
00:02:21.900 --> 00:02:23.880
and operational security.

58
00:02:23.880 --> 00:02:27.270
These topics are a consistent mainstay in initial

59
00:02:27.270 --> 00:02:29.610
and recurring security program training.

60
00:02:29.610 --> 00:02:32.400
After that, we will look at governance frameworks.

61
00:02:32.400 --> 00:02:33.960
Governance frameworks are used

62
00:02:33.960 --> 00:02:36.090
to establish structured guidelines

63
00:02:36.090 --> 00:02:38.070
and best practices for managing

64
00:02:38.070 --> 00:02:41.670
and aligning IT operations with business goals

65
00:02:41.670 --> 00:02:44.520
while ensuring risk management and compliance.

66
00:02:44.520 --> 00:02:47.880
COBIT, the Control Objectives for Information

67
00:02:47.880 --> 00:02:49.440
and Related Technologies,

68
00:02:49.440 --> 00:02:52.500
is used to establish a detailed set of controls,

69
00:02:52.500 --> 00:02:54.300
metrics, and processes

70
00:02:54.300 --> 00:02:57.240
that align information technology management

71
00:02:57.240 --> 00:02:59.070
with enterprise objectives,

72
00:02:59.070 --> 00:03:01.140
ensuring effective risk management

73
00:03:01.140 --> 00:03:02.970
and regulatory compliance.

74
00:03:02.970 --> 00:03:06.900
ITIL, the Information Technology Infrastructure Library,

75
00:03:06.900 --> 00:03:10.290
provides a structured approach to IT service management,

76
00:03:10.290 --> 00:03:12.450
defining best practices for delivering

77
00:03:12.450 --> 00:03:13.830
and managing services

78
00:03:13.830 --> 00:03:16.170
to ensure they meet business requirements

79
00:03:16.170 --> 00:03:18.480
and to optimize service delivery.

80
00:03:18.480 --> 00:03:21.900
Then, we will explore Governance, Risk, and Compliance

81
00:03:21.900 --> 00:03:23.670
or GRC tools.

82
00:03:23.670 --> 00:03:26.100
Governance, Risk, and Compliance tools are used

83
00:03:26.100 --> 00:03:29.310
to integrate the management of an organization's governance,

84
00:03:29.310 --> 00:03:31.440
risk, and compliance activities

85
00:03:31.440 --> 00:03:33.450
by automating processes,

86
00:03:33.450 --> 00:03:36.360
tracking compliance with regulatory requirements,

87
00:03:36.360 --> 00:03:38.970
and maintaining accurate documentation.

88
00:03:38.970 --> 00:03:41.640
These tools often include features like mapping

89
00:03:41.640 --> 00:03:44.700
to align controls with specific regulations,

90
00:03:44.700 --> 00:03:46.917
automation to reduce manual workloads,

91
00:03:46.917 --> 00:03:50.670
and continuous monitoring to ensure ongoing compliance

92
00:03:50.670 --> 00:03:53.760
and risk management, as well as documentation.

93
00:03:53.760 --> 00:03:55.350
Examples of Governance, Risk,

94
00:03:55.350 --> 00:03:58.875
and Compliance tools include RSA Archer,

95
00:03:58.875 --> 00:04:02.325
ServiceNow GRC, and Systems Applications

96
00:04:02.325 --> 00:04:05.200
and Products or SAP GRC.

97
00:04:05.200 --> 00:04:08.640
Following that, we will look at management involvement.

98
00:04:08.640 --> 00:04:09.960
At the day-to-day level,

99
00:04:09.960 --> 00:04:12.750
effective governance relies on management involvement

100
00:04:12.750 --> 00:04:13.920
to ensure that roles

101
00:04:13.920 --> 00:04:17.820
and responsibilities are clearly assigned and managed.

102
00:04:17.820 --> 00:04:21.780
The Responsible, Accountable, Consulted, Informed

103
00:04:21.780 --> 00:04:25.470
or RACI Matrix is a valuable tool

104
00:04:25.470 --> 00:04:28.440
that can be used to clarify those roles,

105
00:04:28.440 --> 00:04:31.710
detailing who is responsible for execution,

106
00:04:31.710 --> 00:04:33.480
accountable for outcomes,

107
00:04:33.480 --> 00:04:36.960
consulted for input, and informed of progress.

108
00:04:36.960 --> 00:04:39.870
By utilizing the RACI matrix,

109
00:04:39.870 --> 00:04:42.480
organizations can enhance accountability

110
00:04:42.480 --> 00:04:44.910
and streamline decision-making processes,

111
00:04:44.910 --> 00:04:48.450
ensuring that governance activities are effectively managed

112
00:04:48.450 --> 00:04:51.120
and aligned with organizational objectives.

113
00:04:51.120 --> 00:04:55.080
Then we will explore Change in Configuration Management.

114
00:04:55.080 --> 00:04:56.760
Change in Configuration Management

115
00:04:56.760 --> 00:04:58.590
involves structured processes

116
00:04:58.590 --> 00:05:00.870
to maintain system modifications,

117
00:05:00.870 --> 00:05:03.090
ensuring they are carried out efficiently,

118
00:05:03.090 --> 00:05:05.730
approved, and tracked accurately.

119
00:05:05.730 --> 00:05:07.410
To assist in this process,

120
00:05:07.410 --> 00:05:10.320
inventory management maintains a detailed record

121
00:05:10.320 --> 00:05:12.690
of all hardware and software assets,

122
00:05:12.690 --> 00:05:14.730
while the Asset Management Lifecycle

123
00:05:14.730 --> 00:05:17.490
addresses each stage of an asset's life,

124
00:05:17.490 --> 00:05:19.770
from acquisition to disposal.

125
00:05:19.770 --> 00:05:21.060
Bringing it all together,

126
00:05:21.060 --> 00:05:23.280
a Configuration Management Database

127
00:05:23.280 --> 00:05:27.330
or CMDB can act as a central repository

128
00:05:27.330 --> 00:05:31.260
for storing information about configuration items or CIs.

129
00:05:31.260 --> 00:05:33.990
Configuration Items are individual components

130
00:05:33.990 --> 00:05:36.690
of the information technology infrastructure.

131
00:05:36.690 --> 00:05:38.520
A Change Management Database

132
00:05:38.520 --> 00:05:41.220
tracks a configuration item's relationships

133
00:05:41.220 --> 00:05:43.200
to other configuration items

134
00:05:43.200 --> 00:05:45.060
and to specific services.

135
00:05:45.060 --> 00:05:46.740
Change Management Databases

136
00:05:46.740 --> 00:05:49.260
enable effective management of changes

137
00:05:49.260 --> 00:05:51.900
and the maintenance of system integrity.

138
00:05:51.900 --> 00:05:54.480
After that, we will look at the Data Lifecycle.

139
00:05:54.480 --> 00:05:57.210
The data lifecycle describes managing data

140
00:05:57.210 --> 00:05:59.460
through its six stages of life.

141
00:05:59.460 --> 00:06:04.290
The six stages of the data lifecycle are: creation, use,

142
00:06:04.290 --> 00:06:08.430
sharing, storage, archival, and destruction.

143
00:06:08.430 --> 00:06:11.370
Staging refers to an intermediate phase

144
00:06:11.370 --> 00:06:13.650
where data is temporarily stored

145
00:06:13.650 --> 00:06:16.050
and prepared for further use.

146
00:06:16.050 --> 00:06:18.660
It typically occurs between the data creation

147
00:06:18.660 --> 00:06:20.070
and the use phase

148
00:06:20.070 --> 00:06:23.220
and serves as a space for activities like development,

149
00:06:23.220 --> 00:06:25.410
testing, and quality assurance.

150
00:06:25.410 --> 00:06:28.260
These activities are essential for validating

151
00:06:28.260 --> 00:06:30.840
and ensuring the integrity of data

152
00:06:30.840 --> 00:06:33.450
before it transitions to production

153
00:06:33.450 --> 00:06:35.280
where it is fully utilized.

154
00:06:35.280 --> 00:06:38.070
While staging is not one of the primary six stages

155
00:06:38.070 --> 00:06:39.570
of the data lifecycle,

156
00:06:39.570 --> 00:06:43.110
it plays a critical role in the preparation process,

157
00:06:43.110 --> 00:06:45.600
facilitating smooth data handling

158
00:06:45.600 --> 00:06:48.390
before production and eventual use.

159
00:06:48.390 --> 00:06:51.840
Finally, we will explore Communication Considerations.

160
00:06:51.840 --> 00:06:54.150
Communication considerations include

161
00:06:54.150 --> 00:06:55.860
communication and reporting.

162
00:06:55.860 --> 00:06:58.680
Effective communication and reporting are critical

163
00:06:58.680 --> 00:07:00.600
to security program management

164
00:07:00.600 --> 00:07:01.950
because they ensure

165
00:07:01.950 --> 00:07:04.770
that relevant information about security incidents,

166
00:07:04.770 --> 00:07:07.470
compliance status, and risk assessments

167
00:07:07.470 --> 00:07:10.080
are accurately conveyed to internal

168
00:07:10.080 --> 00:07:11.820
and external stakeholders.

169
00:07:11.820 --> 00:07:14.730
Furthermore, timely and detailed reports

170
00:07:14.730 --> 00:07:17.220
facilitate informed decision-making,

171
00:07:17.220 --> 00:07:20.070
enable rapid response to potential threats,

172
00:07:20.070 --> 00:07:23.730
and support compliance with regulatory requirements.

173
00:07:23.730 --> 00:07:25.110
To finish things off,

174
00:07:25.110 --> 00:07:26.640
we'll take a short quiz

175
00:07:26.640 --> 00:07:29.760
to see what you learned during this section of the course,

176
00:07:29.760 --> 00:07:33.030
and we will review each of those quiz questions fully

177
00:07:33.030 --> 00:07:36.330
to ensure you can explain why the right answers were right

178
00:07:36.330 --> 00:07:38.160
and the wrong answers were wrong.

179
00:07:38.160 --> 00:07:40.680
So let's get ready to dive into governance

180
00:07:40.680 --> 00:07:42.513
in this section of the course!