WEBVTT

1
00:00:00.060 --> 00:00:01.260
In this lesson,

2
00:00:01.260 --> 00:00:04.380
we're going to talk about Security Program Documentation.

3
00:00:04.380 --> 00:00:06.990
Security Program Documentation outlines

4
00:00:06.990 --> 00:00:09.390
an organization's fundamental approach

5
00:00:09.390 --> 00:00:12.030
to managing and protecting its information systems

6
00:00:12.030 --> 00:00:13.650
from security threats.

7
00:00:13.650 --> 00:00:15.480
Security Program Documentation

8
00:00:15.480 --> 00:00:17.820
includes administrative controls

9
00:00:17.820 --> 00:00:20.760
such as organizational policies, procedures,

10
00:00:20.760 --> 00:00:22.770
standards, and guidelines.

11
00:00:22.770 --> 00:00:24.600
Administrative controls are designed

12
00:00:24.600 --> 00:00:27.360
to regulate the behavior of employees

13
00:00:27.360 --> 00:00:31.290
and ensure adherence to security and operational standards.

14
00:00:31.290 --> 00:00:34.440
Administrative controls further focus on managing human

15
00:00:34.440 --> 00:00:36.390
and operational risks.

16
00:00:36.390 --> 00:00:39.300
Policies, procedures, standards, and guidelines

17
00:00:39.300 --> 00:00:41.970
are all considered administrative controls

18
00:00:41.970 --> 00:00:44.310
and are essential to an organization

19
00:00:44.310 --> 00:00:46.680
because they provide a clear framework

20
00:00:46.680 --> 00:00:48.600
for consistent decision making

21
00:00:48.600 --> 00:00:52.710
and best practices to meet regulatory requirements.

22
00:00:52.710 --> 00:00:55.290
To better understand policies, procedures,

23
00:00:55.290 --> 00:00:58.860
standards, and guidelines, we are going to use the analogy

24
00:00:58.860 --> 00:01:01.620
of driving a car throughout this lesson.

25
00:01:01.620 --> 00:01:04.200
First, let's discuss policies.

26
00:01:04.200 --> 00:01:06.780
Policies establish high-level principles

27
00:01:06.780 --> 00:01:08.940
and expectations for security.

28
00:01:08.940 --> 00:01:12.810
They define what is allowed and what behavior is expected.

29
00:01:12.810 --> 00:01:15.750
Individuals are required to follow policies

30
00:01:15.750 --> 00:01:18.900
and there are often consequences for not following them.

31
00:01:18.900 --> 00:01:22.410
When driving a car, policies tell us which side of the road

32
00:01:22.410 --> 00:01:25.530
to drive on, how fast we can legally drive,

33
00:01:25.530 --> 00:01:28.080
and that we have to stop at red lights.

34
00:01:28.080 --> 00:01:30.480
They also tell us who has the right of way

35
00:01:30.480 --> 00:01:31.530
at an intersection.

36
00:01:31.530 --> 00:01:34.920
Violating any of these policies will get you a ticket.

37
00:01:34.920 --> 00:01:39.270
Examples of security policies include separation of duties,

38
00:01:39.270 --> 00:01:42.360
job rotation, and mandatory vacation.

39
00:01:42.360 --> 00:01:44.910
Separation of duties helps prevent fraud

40
00:01:44.910 --> 00:01:47.790
by ensuring no single person has control

41
00:01:47.790 --> 00:01:50.130
over all aspects of a process.

42
00:01:50.130 --> 00:01:54.600
For instance, in accounting, one person cannot both request

43
00:01:54.600 --> 00:01:56.190
and approve a payment.

44
00:01:56.190 --> 00:02:00.150
In cybersecurity, one administrator might manage backups

45
00:02:00.150 --> 00:02:02.370
while another handles restoration.

46
00:02:02.370 --> 00:02:05.910
A variant of separation of duties is split knowledge.

47
00:02:05.910 --> 00:02:07.170
In split knowledge,

48
00:02:07.170 --> 00:02:10.380
two individuals each hold half of the information needed

49
00:02:10.380 --> 00:02:11.520
for a task.

50
00:02:11.520 --> 00:02:15.240
Split knowledge also includes breaking a cryptographic key

51
00:02:15.240 --> 00:02:18.600
into two parts and assigning each part of the key

52
00:02:18.600 --> 00:02:20.520
to different administrators.

53
00:02:20.520 --> 00:02:24.510
Next, job rotation involves training multiple employees

54
00:02:24.510 --> 00:02:26.670
to perform the same tasks.

55
00:02:26.670 --> 00:02:28.710
This helps to identify fraud

56
00:02:28.710 --> 00:02:31.320
and provides backup in emergencies.

57
00:02:31.320 --> 00:02:34.110
Job rotation also allows cross training

58
00:02:34.110 --> 00:02:36.690
to enhance organizational resilience.

59
00:02:36.690 --> 00:02:39.630
Finally, mandatory vacation policies

60
00:02:39.630 --> 00:02:41.910
require employees to take time off.

61
00:02:41.910 --> 00:02:44.580
During mandatory vacations, their job duties

62
00:02:44.580 --> 00:02:47.070
are temporarily assigned to others.

63
00:02:47.070 --> 00:02:51.210
This can help uncover any suspicious activity such as fraud,

64
00:02:51.210 --> 00:02:53.520
while providing cross-training opportunities

65
00:02:53.520 --> 00:02:55.770
and backup for critical positions.

66
00:02:55.770 --> 00:02:57.690
The key benefit of policies

67
00:02:57.690 --> 00:02:59.610
is that they establish clear,

68
00:02:59.610 --> 00:03:02.310
mandatory principles and expectations,

69
00:03:02.310 --> 00:03:05.430
ensuring consistent behavior and decision making

70
00:03:05.430 --> 00:03:07.350
across an organization.

71
00:03:07.350 --> 00:03:10.020
This is just like having a speed limit

72
00:03:10.020 --> 00:03:12.510
that helps us ensure safety on the road.

73
00:03:12.510 --> 00:03:14.970
Second, let's discuss procedures.

74
00:03:14.970 --> 00:03:18.660
Procedures provide detailed, step-by-step instructions

75
00:03:18.660 --> 00:03:22.530
for implementing policies and are required to be followed.

76
00:03:22.530 --> 00:03:24.420
When driving, procedures tell us

77
00:03:24.420 --> 00:03:26.070
how to reach our destination

78
00:03:26.070 --> 00:03:28.050
through detailed driving directions.

79
00:03:28.050 --> 00:03:31.470
For example, take a right at the stoplight on Main Street.

80
00:03:31.470 --> 00:03:33.780
The steps for handling an incident response

81
00:03:33.780 --> 00:03:36.390
are an example of a security procedure.

82
00:03:36.390 --> 00:03:39.660
Procedural steps in an incident response may include

83
00:03:39.660 --> 00:03:42.060
notifying the incident response team,

84
00:03:42.060 --> 00:03:44.580
documenting the details of the breach,

85
00:03:44.580 --> 00:03:47.010
and following a specific communication plan

86
00:03:47.010 --> 00:03:49.260
to inform relevant stakeholders.

87
00:03:49.260 --> 00:03:52.740
For instance, in the event of a security breach,

88
00:03:52.740 --> 00:03:55.230
the incident response procedure dictates

89
00:03:55.230 --> 00:03:58.500
the exact sequence of actions an employee must take,

90
00:03:58.500 --> 00:04:00.900
from isolating the affected systems

91
00:04:00.900 --> 00:04:03.390
to contacting the appropriate authorities.

92
00:04:03.390 --> 00:04:06.750
In this case, the procedure ensures that nothing is missed

93
00:04:06.750 --> 00:04:08.490
during a critical moment.

94
00:04:08.490 --> 00:04:11.790
Similarly, in a backup and recovery scenario,

95
00:04:11.790 --> 00:04:14.040
the procedure outlines the exact steps

96
00:04:14.040 --> 00:04:16.170
for performing regular data backups

97
00:04:16.170 --> 00:04:17.880
and restoring those backups.

98
00:04:17.880 --> 00:04:21.630
This ensures consistency and accuracy.

99
00:04:21.630 --> 00:04:23.490
The key benefit of procedures

100
00:04:23.490 --> 00:04:25.740
is that they eliminate ambiguity,

101
00:04:25.740 --> 00:04:27.540
providing clear instructions

102
00:04:27.540 --> 00:04:31.560
that reduce the likelihood of errors or misinterpretation.

103
00:04:31.560 --> 00:04:34.200
Third, let's discuss standards.

104
00:04:34.200 --> 00:04:37.650
Standards define specific requirements that should be met.

105
00:04:37.650 --> 00:04:40.500
However, standards don't have the enforcement

106
00:04:40.500 --> 00:04:42.510
that laws and regulations do.

107
00:04:42.510 --> 00:04:45.690
Instead, they're created for specific industries

108
00:04:45.690 --> 00:04:48.270
to be followed as a best practice.

109
00:04:48.270 --> 00:04:49.740
Some standards though,

110
00:04:49.740 --> 00:04:53.490
do have penalties associated with noncompliance,

111
00:04:53.490 --> 00:04:56.760
and that makes them extremely important to follow.

112
00:04:56.760 --> 00:05:00.120
For example, the standard stop sign in many countries

113
00:05:00.120 --> 00:05:02.700
is a red octagon that has the word "stop"

114
00:05:02.700 --> 00:05:04.380
in capital letters on it.

115
00:05:04.380 --> 00:05:06.990
This uniform and consistent sign

116
00:05:06.990 --> 00:05:09.960
helps drivers to know they need to stop their cars

117
00:05:09.960 --> 00:05:12.180
at an intersection even if they're driving

118
00:05:12.180 --> 00:05:13.530
in a foreign country.

119
00:05:13.530 --> 00:05:17.010
Although having red stop signs isn't an international law,

120
00:05:17.010 --> 00:05:18.810
using this guidance makes it likely

121
00:05:18.810 --> 00:05:20.640
that drivers will recognize the sign

122
00:05:20.640 --> 00:05:22.890
and stop at the appropriate time.

123
00:05:22.890 --> 00:05:25.350
Examples of security standards include

124
00:05:25.350 --> 00:05:28.110
the Payment Card Industry Data Security Standard,

125
00:05:28.110 --> 00:05:30.090
or PCI-DSS,

126
00:05:30.090 --> 00:05:34.260
the International Organization for Standardization, or ISO,

127
00:05:34.260 --> 00:05:38.820
the Capability Maturity Model Integration, or CMMI

128
00:05:38.820 --> 00:05:42.390
and the National Institute of Standards and Technology,

129
00:05:42.390 --> 00:05:43.710
or NIST.

130
00:05:43.710 --> 00:05:46.200
The Payment Card Industry Data Security Standard

131
00:05:46.200 --> 00:05:49.080
is a contractual agreement that any organization

132
00:05:49.080 --> 00:05:51.960
handling credit card information must follow.

133
00:05:51.960 --> 00:05:55.980
While not a law, compliance is mandatory for organizations

134
00:05:55.980 --> 00:05:59.730
that collect, store or process credit card data.

135
00:05:59.730 --> 00:06:02.940
Failure to comply can result in losing the ability

136
00:06:02.940 --> 00:06:05.130
to process credit card transactions,

137
00:06:05.130 --> 00:06:07.800
which could cripple an e-commerce business.

138
00:06:07.800 --> 00:06:10.200
In contrast, other standard bearers,

139
00:06:10.200 --> 00:06:13.920
such as the International Organization for Standardization,

140
00:06:13.920 --> 00:06:16.530
the Capability Maturity Model Integration

141
00:06:16.530 --> 00:06:19.470
and the National Institute of Standards and Technology

142
00:06:19.470 --> 00:06:21.360
provide best practices

143
00:06:21.360 --> 00:06:23.790
rather than strict compliance requirements.

144
00:06:23.790 --> 00:06:26.370
The International Organization for Standardization

145
00:06:26.370 --> 00:06:29.190
provides a series of standards for industries,

146
00:06:29.190 --> 00:06:31.710
including information security.

147
00:06:31.710 --> 00:06:34.980
For instance, the "ISO 27000" series

148
00:06:34.980 --> 00:06:37.950
focuses on information system security management,

149
00:06:37.950 --> 00:06:40.980
with over 60 standards covering different aspects

150
00:06:40.980 --> 00:06:45.510
of an organization's IT network, policies and its controls.

151
00:06:45.510 --> 00:06:48.990
Next, the Capability Maturity Model Integration

152
00:06:48.990 --> 00:06:51.000
is a process improvement model

153
00:06:51.000 --> 00:06:55.470
used in the development of software, products and services.

154
00:06:55.470 --> 00:06:58.080
It assesses an organization's maturity level,

155
00:06:58.080 --> 00:07:01.110
defining levels that range from one to five,

156
00:07:01.110 --> 00:07:03.960
with higher levels indicating more refined

157
00:07:03.960 --> 00:07:05.970
and optimized processes.

158
00:07:05.970 --> 00:07:08.190
Government contracts often require

159
00:07:08.190 --> 00:07:11.700
a specific maturity level, such as three, four,

160
00:07:11.700 --> 00:07:14.370
or five to be met depending upon

161
00:07:14.370 --> 00:07:16.440
the complexity of the network.

162
00:07:16.440 --> 00:07:20.340
Finally, the National Institute of Standards and Technology

163
00:07:20.340 --> 00:07:24.090
provides over 1,300 standards for industries.

164
00:07:24.090 --> 00:07:27.810
In information security, the "NIST 800" series

165
00:07:27.810 --> 00:07:30.300
is a particularly important one.

166
00:07:30.300 --> 00:07:31.320
For example,

167
00:07:31.320 --> 00:07:33.720
the "National Institute of Standards and Technology

168
00:07:33.720 --> 00:07:36.900
Special Publication 800-53"

169
00:07:36.900 --> 00:07:39.720
outlines security and privacy controls

170
00:07:39.720 --> 00:07:43.620
for federal information systems, offering over 800 controls

171
00:07:43.620 --> 00:07:46.680
across 18 areas for risk management.

172
00:07:46.680 --> 00:07:49.710
The NIST standards, though not legally binding,

173
00:07:49.710 --> 00:07:51.900
are critical for ensuring security

174
00:07:51.900 --> 00:07:55.650
and operational efficiency in various sectors.

175
00:07:55.650 --> 00:07:57.330
The key benefit of standards

176
00:07:57.330 --> 00:08:00.450
is that they provide clear, uniform requirements

177
00:08:00.450 --> 00:08:04.320
and best practices, ensuring consistency, quality,

178
00:08:04.320 --> 00:08:08.310
and compliance across an industry or organization.

179
00:08:08.310 --> 00:08:10.800
Fourth, let's discuss guidelines.

180
00:08:10.800 --> 00:08:13.470
Guidelines offer recommended best practices

181
00:08:13.470 --> 00:08:15.840
to help achieve compliance and alignment

182
00:08:15.840 --> 00:08:18.570
with organizational policies and standards.

183
00:08:18.570 --> 00:08:21.090
You aren't required to follow guidelines.

184
00:08:21.090 --> 00:08:22.950
Using our driving analogy,

185
00:08:22.950 --> 00:08:27.180
guidelines include a map application such as Google Maps.

186
00:08:27.180 --> 00:08:29.820
Helpful journey guideline tips may include routes

187
00:08:29.820 --> 00:08:33.750
to avoid congested traffic and scenic locations for breaks.

188
00:08:33.750 --> 00:08:37.260
Although guidelines offer advice to improve your journey,

189
00:08:37.260 --> 00:08:39.210
you aren't required to follow them.

190
00:08:39.210 --> 00:08:41.160
Examples of security guidelines

191
00:08:41.160 --> 00:08:44.460
include recommendations for configuring firewall rules

192
00:08:44.460 --> 00:08:46.380
to enhance network security,

193
00:08:46.380 --> 00:08:48.360
or suggested encryption protocols

194
00:08:48.360 --> 00:08:50.130
for securing sensitive data.

195
00:08:50.130 --> 00:08:51.750
While these are not mandatory,

196
00:08:51.750 --> 00:08:54.480
following them helps strengthen the security posture

197
00:08:54.480 --> 00:08:57.390
and align with industry best practices.

198
00:08:57.390 --> 00:08:59.970
Password management is also a guideline.

199
00:08:59.970 --> 00:09:03.570
It might suggest using multifactor authentication

200
00:09:03.570 --> 00:09:06.060
and implementing password complexity rules,

201
00:09:06.060 --> 00:09:08.070
even if an organizational policy

202
00:09:08.070 --> 00:09:09.990
doesn't mandate these measures.

203
00:09:09.990 --> 00:09:13.290
These recommendations help employees make informed decisions

204
00:09:13.290 --> 00:09:16.470
and adopt more secure practices voluntarily.

205
00:09:16.470 --> 00:09:19.350
The key benefit of guidelines is their flexibility,

206
00:09:19.350 --> 00:09:22.230
allowing organizations to tailor best practices

207
00:09:22.230 --> 00:09:25.020
to their specific needs without the strictness

208
00:09:25.020 --> 00:09:26.790
of policies or procedures.

209
00:09:26.790 --> 00:09:30.390
So remember, Security Program Documentation

210
00:09:30.390 --> 00:09:33.870
outlines how organizations manage and protect

211
00:09:33.870 --> 00:09:36.930
information systems from security threats.

212
00:09:36.930 --> 00:09:40.410
It includes administrative controls such as policies,

213
00:09:40.410 --> 00:09:43.560
procedures, standards, and guidelines.

214
00:09:43.560 --> 00:09:46.650
These regulate employee behavior and manage human

215
00:09:46.650 --> 00:09:48.810
and operational risks.

216
00:09:48.810 --> 00:09:51.510
Policies establish required principles

217
00:09:51.510 --> 00:09:54.450
while procedures provide detailed mandatory steps

218
00:09:54.450 --> 00:09:56.190
for implementing policies.

219
00:09:56.190 --> 00:09:59.100
Next, standards define best practices

220
00:09:59.100 --> 00:10:01.740
and compliance requirements and include

221
00:10:01.740 --> 00:10:04.560
the Payment Card Industry Data Security Standard,

222
00:10:04.560 --> 00:10:07.860
and the "International Organization for Standardization

223
00:10:07.860 --> 00:10:09.900
27000" series.

224
00:10:09.900 --> 00:10:13.050
This ensures consistency and security.

225
00:10:13.050 --> 00:10:16.170
Finally, guidelines offer recommended,

226
00:10:16.170 --> 00:10:19.920
flexible best practices to help organizations align

227
00:10:19.920 --> 00:10:21.810
with policies and standards.

228
00:10:21.810 --> 00:10:24.330
Together all these components form a framework

229
00:10:24.330 --> 00:10:27.420
for decision making, security and compliance,

230
00:10:27.420 --> 00:10:31.020
ensuring that security programs follow best practices

231
00:10:31.020 --> 00:10:33.243
and regulatory requirements.