YouTube Transcript: CISM Masterclass Essentials You Won't Find Anywhere Else!
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
Video Summary
Summary
Core Theme
This content is a comprehensive guide to the Certified Information Security Manager (CISM) certification, focusing on understanding the exam's structure, key concepts, and how to "think like a manager" to succeed. It covers all four domains of the CISM syllabus, emphasizing governance, risk management, program development, and incident management.
hi team welcome to my session on coffee
with PR and today we're going to discuss
about CM your last minute guide I can
assure you one thing it is a first kind
of a video on YouTube which talk about
all the four domains based on the news
labus my name is PR and I'm taking a
cism from last 10 year and when it come
to success rate in last 10 year I maintained
maintained
99% and um for more information you can
check my LinkedIn profile and if you're
new to the channel do subscribe to the
YouTube channel and click on the Bell
icon to make sure you should not miss is
the future videos on a similar topic so
without wasting a time let's start with
[Music]
you okay so in cism we have a total four
domains and full form of cism is
certified information security manager
now when talking about the cism so we
have a domain one which is called
information security governance because
governance help you to build the
foundation we're going to discuss in the
further slide what is governance but for
your information governance is all about
set of operations Now set of operations
are there which help you to conduct the
information security risk management
because when you want to implement any
kind of a controls in the organization
you have to do risk management based on
risk management based on that we can
Define the controls with the help of
information security program because
information Miss security program
include all the controls what we have
and make sure the controls are working
effectively and all that if any issue
comes in the control with the help of
inent management we can manage and
whatever the Gap we identify we report
back to the same to the board now this
is the complete cycle we have so
governance is a set of operation they're
doing a risk assessment to identify gaps
threats issues and based on that they
organize the controls and information
security program and once they implement
the controls any kind of a program any
kind of a challenge they basically face
we can handle this change challenge with
the help of inent management process and
from the inent management process we get
the reporting and everything by which we
can able to improve the controls and
that is how the cism has organized the four
domains okay so in cism people say you
have to think like a manager you know
you don't you should not think like a
practitioner so what is the definition
of think like a manager see whenever you
answer any questions the first thing is
that whenever you answer make sure you
have to keep mon in your mind is you
have to focus on business goals I'll
give an
example now according to you what is the
best firewall need your suggestion in
the comment box some people will say
Polo Alto some will say 40 net but the
best firewall is the one which meet the
business requirement that is the mindset
we need in so normally we have a two
type profile in the company one is
practitioner and one is called as a professional
so practitioner is the one who implement the
solution and professional is the one who
manage okay every organization start with
with
strategy then we have a tactical plan
and then we have an operational
plan now cism guy is basically come on
this side professional he understand the
business he understand the requirement
he understand the Regulatory and based
on that he will do the risk assessment
and suggest the control and get the
control implemented from the operation
team that is how things works so
professional is the one who understand
the business analyze the requirement and
practitioner is the one who implement
the solution so in the cism you have to
think like a professional okay there is
no one solution which fix all the issues
you have to understand that
also understood that's that's basically
the most important part now as I said
when it come to
cism okay you have to you have to focus
on business goals that's the first
priority business goals like you know
always align your answers with the
organization objectives such as
protecting assets ensuring compliance
and more important enable the business
continuity by end of the day you have to
maintain the CIA but always remember one
thing ultimate goal of any solution is
to achieve the business objectives is it
clear second we have a risk-based
thinking risk-based thinking is very
important so you have to prioritize risk
management by identifying assessing
mitigating risk in a way that you can
able to balance the security need with
business business operations in layment
term I can say any kind of initiative
you're doing in the organization when
you hire anyone when you fire anyone you
do risk assessment so risk based
thinking you need to have in the system
let's say example you're dealing with
multiple incidents with the limited
resources so how you handle that you'll
do first impact analysis or risk
assessment to prioritize what is
important and what is not the third
important thing we call as a strategic
alignment okay so you have to emphasis
on how the information security supports
the organizational strategy and you also
need to check the goals rather than
focusing only on technical controls so
that is the first important thing you
need to understand from the exam point
of view so that is called as a think
like a manager concept now second
important thing you have to uh you can
say you have to analyze the scenario
holistically how so you need to consider
stakeholders that is your first priority
so you have to evaluate the scenarios
from the perspective of employees
Executives customer and Regulators okay
that's a one thing second is long-term
implications you have to choose the
answer that reflect the sustainable and
scalable Solutions rather than
short-term fixes example like ultimate
goal of risk management is not to
identify risk but reduce the risk to an
acceptable level right so that's called
as a long-term implication the third
most important part is called as a
compliance and governance so you have to
incorporate all the regulatory
requirement governance Frameworks and
everything okay next is called as a um
which is called as a um prioritize the
actions based on a impact very very important
important
now here we have a most important thing
is required is critical thinking so you
have to you know assess which actions
provide the greatest value which reduce
the most critical task you are to also
need to consider Resource Management
where you consider cost effective and
resource constraint when you're
selecting a Solutions and then we have a
inent response when you're handling the
incidents in the exam questions focus on
minimizing the business impact and
restoring the operations efficiently
ultimate goal of inant management is to
reduce a risk to an acceptable level
that's true so that that you have to
check how you basically prioritize that
okay always remember avoid all the
technical over premises okay example
like or over emphasis sorry like for
example detailing firewall configuration
is not
required more focus on how far will
enforce the policies second is when
you're discussing the
encryptions emphasis will be role on the
achieving a confidentiality objective
than the technical implementations so
these are the basic steps is required
for your understanding that you need to
follow follow okay now in the exam this
keywords are very important the first
keyword is best best use according to a
particular situation example like you
have created a security policies what is
the best way to communicate the policies
so answer is awareness training but when
you're creating a pol created a policy
the most important step is approval of
management so difference is that best is
focus on best appropriate and strategic
Solutions among the several valid
options all four options will be great
but still we have to select the one one
which can cover everything on the second
part the word most is there most
highlight the critical priority and
highest impact example like what is the most
most
important outcome of security governance
or what is the most important
requirement of successful security
governance the answer is basically C
management approval without C management
approval we can't do anything on top of
it one more important is called as a in
aligned with the business objective
because if it's not aligned with the
business objective management cannot
approve that so keyword is most
or second option is in the month of
December most of the Indians or most of
the people in India go to Goa so that's
called critical priority highest impact
but best to be stay at home according to
the problem another keyword is basically
called as a primary primary mean what is
the first goal of this initiatives okay
like what is the primary goal of your uh
watching this video learning no learning
is one of goal but ultimate goal or
prime AR goal is to pass this exam right
so when you're doing any initiative you
have to understand from this initiative
what is a primary like primary goal of
Incident Management reduce the impact
primary goal of problem management drag
the root cause so primary mean from this
particular initiative what is the first
thing I will achieve then last is called
as a first first we use in that case
when you're talking about sequence like
what is the first step in the risk
management what is a first step in the
Bia what is the first step in this what
is the first step in that whenever the
question talking about sequence it mean
the question talking about first and all
that so you have to select answer
accordingly sometime what happen is
options are also combination example
like what is the first step of the risk
management answer is identifying risk
but one also option is there is reduce
risk to an acceptable level now this
option is an outcome of the question not
a sequence but this option is the
sequence of the question so this is how
you need to validate the functions and
for more information there's already a
video I made on the C some think like
manager do check that okay ultimate goal
of this video is to give you the
visibility about what is cover in cism
so that's like primary objective of this
video is not to teach you how to think
like a manager but what is in
cism so there's another video I have you
can check that video okay so let's let's
move to the first domain which is called
one so before we start with actual thing
let's understand the basics first so
what what is
governance okay so governance is like a
you know governing something or it is a
it is basically a framework okay it is a
framework for rules practice and process
that guide how organization is managed
and controll now if you take example of
country like India let's say example of
India okay so we have more than 25
States right so we have more than 25
States each state has their own belief
system so country like India country
like Pakistan country like Bangladesh
country like us UA and all that so each
and every stat each and every country
has their their own belief
systems and there are some different
resources we have like people are there
nature is there so everything need to be
managed properly and to manage them they
need to create a
rules okay they need to introduce law
they need to manage them appropriately
so they will form one system system that
system is called as a governance if you
take another
example okay with the same context of
India and India what happen is we have a
ministers so we appoint ministers the
minister create a law they create a
department and then they manage them to
create a value for us that is called as
a governance even when your parents
create a rules for you introduce a
processes for you okay every day morning
you have to wake up 9:00 10:00 you need
to have a breakfast 11:00 you have to go
to school come back so they creating a
policy which is called as a law for you
they're creating a process how to follow
that policy and by end of the day
they're trying to create a discipline to
give you the better life same like
company in order to manage that company
their resources everything they create a
rule they create a practices and
processes that guide how the
organization is manage and control I
want to show you one video okay so you
important so if you see this video
visibility he just Di directly jump into the
the
glass you can see the way of taking taxi
it is against the law wherever you
park you jump and you break the glass no
one care even it is mentioned no helmet
he's still wearing a helmet and now you
see the entry
tan so that is a perfect example of bad
governance now understood so if they
have a system if they have a law if they
have some policies then nothing will be
happening like that so that's why called
governance ensure accountability
transparency alignment with the goals
and objective so it is like governance
which is a process of governing or
overseeing the control and direction of
something okay if country creating
governance country governance if
parenting creating a rule for their kids
that is called parenting governance so
now question is why governance matter in
the organization
okay so the first part why governance
matter so why because the first biggest
reason is direction see when you're
talking about governance governance set
the organization goals okay and they
strategic directions just like family
you know you have a family so family is
goals okay set they set the goals they
they set the you know the goals like
they want to planning a vacation so or
they want to save for a new car or
making sure kid do wells in a school so
governance in an organization also set
the goals and directions okay so if you
take example this is the bank we
have so this bank is doing offline
business in Delhi or Melbourne offline
business mean there's nothing online
everyone has to go to bank and Avail the
services now the bank understood they
want expansion they need to introduce
it so they have given instruction to CI
plan the it function then CI get the
information from a ceso ensure the
security all these part of a strategic
Direction so the family have a strategic
direction to save money spend quality
time together or prioritize education
same like the company basically have a
strategic Direction okay this year this
plan next year this plan and if the
organization has appropriate strategy
and everything that shows a good
governance governance that's why
governance matter second is called as an
accountability see it ensure your
decisions are made responsible with a
clear and accountability at every level
that's why if you notice in your company
you have a racy metrics racy racy metric
so someone is responsible someone is
accountable someone is need to be
consulted and informed okay so in a
family same everyone has a
responsibility so parent might manage
the finance older kids might help with
the you know and younger kids are
responsible for their school work so
governance ensure everyone know their
roles and it can be counted on so if
anything happen for instance a family
can quickly see who was supposed to do
what hold them accountable so they have
a visibility so accountability is very
important the third important thing risk
management in my further slide we
discuss in detail so governance
structure helps to identify assess and
control the risk same like your family
face risk too like managing expenses
staying being safe or preparing for
emergencies right so governance in a
family involved planning for those risk
like saving from unexpected expenses or
having an emergency contacts or teaching
kid about safety and this way risk are
minimized now let's say example I'm
getting every month salary of
$10,000 suppose I have a kid I don't
have a kid but suppose I have a kid now
he said today he need a PlayStation so I
have to see my finance and I will see
okay can I gift him a PlayStation in
this budget and if I gift him
PlayStation from this cause can I able
to run my entire house understood so
here I'm doing a RIS because I don't
want if tomorrow buy and I have to face
the consequences same like company when
they go for new project and all that so
project can give reward also but it can
also give a liability a good company is
the one a good governance is the one we
do risk management because ultimately we
have to reduce the risk and prepare for
the surprises and last is called as a
governance called compliance why
governance matter in the organiz because of
of
compliance so like example my father has
set the rules for me so I have to abide
with that rule so I'm using a word
called comply with the rule understood
so family follow the rules right so
compliance ensure we other to the law
regulations and internal policy which
protecting the organization from fines
or reputational damage so compliance
here like family follow the rules or
maintain the harmony to ensure everyone
well beinging like beted time limit on
screen time or taking turns with
responsib ility right like on the on the
on the dinner time no phones so we have
to comply with the rule rule was set
under the governance so because if you
see the word
g RC governance risk management
compliance so during a governance we set
the rule and now we have to comply if we
don't comply there is a risk right so
during a part of a building process they
have ensured no one will basically take
a phone during a dinner time and this is
basically we have to comply right so
compliance basically ensure you other to
the specific things okay now question is
overall why governance matter so in this
example you notice right without
governance family might
struggle okay if you don't have a
direction the family might struggle with
you know unexpected goals confusion over
the responsibility and conflict around a
rule and by setting a goal and ensuring
accountability we can prepare for risk
and maintaining a rule and the family
can build a healthy organized and
supportive environment just as a
governance does for the organization
that is why governance matter today in
the organization so let's discuss the
next part a key element of governance so
the question is what are the key
elements of the governance the first
important element is policy and standard
everyone has to wake up on time it's a
law created by it's a policy or it's a
rule of my house same like every system
must be protected with the password that
is a policy policy is nothing it is like
a law of the company seem like policy
which is cre for my house it's a law of
my house but the standard is what time
we have to wake up like policy say that
we have to wake up on time but question
is what is a Time 7:00 a.m. is the
standard time it is for me and for my
cousin so the first important component
which is a foundation for any any
company governance is policy so if you
want to check the maturity of any
company first ask for the
policy okay so governance include
setting up the
policy okay and standard that Define the
expected behavior and operational
practice and this these policies helps
to establish what is allowed required or
prohibited within the organization same
like I said in family policy are like
house rules such as no phones at dinner
table or bedtime at 9:00 p.m. so these
rules set clear expectation what is
allowed or what is not and they help
everyone understand what behaviors are
expected to maintain Harmony at the home
that is where any kind of an activity
you want to introduce policy is the
first step second important element is
called roles so governance Define who is
responsible for various activity so
there should not be any surprises okay
and this is something we document as a
decision within the organization and
this ensure the accountability and
Clarity so that everyone understand
their duties from a Senior Management to
the individual contributor so every
family member has a specific role like
parent may handle the finance grocery
shoppings older kids will taking care of
the trash or doing the dishes and so
role make sure everyone know what they
responsible and this reduce the
confusion and making the family run
smoothly that is why in your company you
have a RAC Matrix third is that whatever
the policy standard we have to follow it
is followed by the
procedures okay so on one side we are
saying we have to go on bed 9:00 a.m. or
9:00 p.m. so what is a process what is a
procedure or I have to set eight8
character password so what is a process
what is a procedure so governance
outline the procedures that ensure consistent
repeatable outcome so these process are
specially important in the critical
areas like Risk Management compliance
and quality control I'll give an
example so I the I have appointed a Dr
coordinator Disaster Recovery
coordinator he created a procedure or
she created a procedure now in her
absence or in his absence someone can
follow the procedure blindly and that is
called as a good governance
so procedures are the one which generate
the same results consistent results like
procedures like processes in a family
like routine such as getting ready for
the school in the morning or each steps
is organize everyone wake up eat
breakfast brushes their te teeth and get
dressed so these routines helps the
things to ensure in a predictable way so
no one miss the school bus or forget
their lunch that's why that's very
important part the next thing is called
as accountability and oversight so
governance provide the mechanism to
monitor the activities okay which is
added to the policies and all that and
this oversight bodies like board of
directors or governance committee they
review the report because if you ask me
the overall function of governance is
three so we have a governance part
evaluate direct and monitor and this is
my operation team when they work on that
this is basically oversight by the board
so board is the one who always get a
reports on regular basis because by that
they get a visibility and it is very
important to have that
okay it is very important so same like
you know we collecting a audits we doing
an audits we review the reports and by
this you can hold people accountable for
their actions that's why when you face
any Audits and all that you you know
auditor give you the recommendation and
then do the follow up okay that's that's
an important part so accountability in a
family mean making sure everyone does
their part so parent check if if uh
cleaning has been done properly or if
homework is completed like you know I'm
sure you also experiened that that's EX
example of
oversight next important thing a good
governance is the one where whatever the
strategy you have set whatever the
initiative you have set it is aligned
with the business goals for instances
governance might ensure securitya
practices align with the business goals
so that good security governance is the
one which align with the business goals
or family might have a goal like saving
money or Vacations so making sure
everyone eat healthier so governance
helps to align daily activity with these
goals understood so that is something is
part of the function so these are the
key components we have now now let's
understand how the overall organization
works in the functions okay so we going
to discuss now type of governance so
that give you the better
visibility see when we talking about
organization hierarchy so this is how
the actual organization works so the
first part is called as a
CEO okay now before going to discuss
this I want to discuss the hierarchy so
as I said governance is a set of
operation okay so under the governance
we have a important element let me
change the
color okay so under the governance we
have first thing which is called as a corporate
governance corporate governance
corporate governance okay and corporate
okay they are the one who set the goals
and they are the one who set the
direction hey guys we have to start new
business we want to go digital so that
is defined by the corporate governance
now who is part of corporate governance
board and Senior Management they are the
one who set the goals so let's say
example we are doing offline business
and now we want to do online business
okay that is basically my goal
so we have decided because right now
we're doing offline banking so I want to
start banking services in entire
Melbourne and I want to do in Sydney
example or I want to do in Delhi or I
want to do in Mumbai so what happen is
Corporate governance said that okay
increase business increase sales and
everything so then it is giving a
direction to the IT
team which is called as it governance
they create policy they create
procedures they introduce AI ML and all
that so this is basically driven by the
CIO Chief Information officer so he so
corporate governance given given a
direction to it governance hey guys we
want to go digital now support digital
but make sure this digital should be
secure we have one governance which is
called as a information security
governance they create their policy
procedure and all that to protect the
business and protect the it and protect
the business so that's why say C CEO is
the one who set the organization strategy
strategy
we want to go digital fine CIO will
ensure how the deel can support the
goals ceso will ensure how the security
can be achieve that then security
manager create isms and all that then
security admin is there who create a
sock sop and this is how the security
technical team operate on the local
level so that is how the entire
hierarchy works so to understand better
let's understand one by one each and
every statement okay so first let's
discuss about the corporate
governance so I already explained you in
the previous slide what is corporate
governance so Foundation of GRC is
Corporate governance because they are
the one who said the thing so if you see
the hierarchy according to corit
corporate governance is the one who
follow three thing e DM according to
covid E stand for evaluate so they
evaluate the legal requirement regulat
requirement compliance requirement
customer requirement in in my further
slide we discussed how we arrange the
sequence so they evaluating the market
condition and they understood yes we
have to go digital okay we have to go
digital that is basically my need we
have so corporate governance understand
that particular
thing and then they
basically giving a direction to the
CIO okay so CIO is the one who drive the
initiatives so now CIO got the direction
so now what happen is C based on that
create a strategy they create the
Tactical plan they create operation plan
and then so we have a evaluate direct
CIO is the one who will do the planning
building run and monitor but parall we
also have a
ceso ceso also doing a planning building
run and monitor to make sure it can able
to secure the business and provide the
report and this is basically called as a
e DM evaluate direct and monitor and
cesos and CI doing a PBR they creating
their strategy that's called it
governance they're doing their
information security governance and
corporate doing their function that
called corporate governance so corporate
governance set the Strategic objectives
and it guide the ethical Behavior
oversee the compliance with legal
regulatory requirement so their major
Focus will be on the board
oversight they want executive to be
accountable they want transparencies and
they are actually accountable for
anything what is happening in the
organization so and but the challenge is
basically balance ING profitability with
the social and environmental
responsibilities because they have to
run the business also but also respect
the culture and everything and they are
the one who set the regulated landscape
and they follow the topd approach
without governance we can't Implement
anything remember that without
governance we can't Implement anything
so that is basically called as a
corporate governance now second is
called as a it governance they are the
one who align the it strategy with
corporate objectives as I said the bank
has decided they want to go online right
now they are the one who creating it
strategy to ensure how can they go
online so they are the one who managing
a risk associate with the digal
transformation and their focus area is
how to allocate the resources how to
create a performance metrics risk
management and integrate with the
business goals but challenges basically
as the technology get changed today you
can see there is a need of AI artificial
intelligence machine learnings and all
that so they have to see how can they
optimize the it Investments and
everything now next is called as a
information security governance see in
some companies information security
reports to it in some companies
information security directly report to
the board so here the information
security governance ensure the
protection of information asset through
the policy standard and framework and
their focus area will be data protection
risk assessment insent response
compliance and everything challenges as
things getting change and all that
growing balance is there so how to
comply with legal regular how to
maintain security is the most important
part see when you document information
security under the information security
we have a cyber
security so difference is cyber security
assets and information security protect
all type of assets
assets
all type of asset I repeat again
information security protect all type of
asset where cyber security protect
digital assets if I have a laptop it has
a data that will be protect under the
cyber security I will keep this laptop
in the physical Locker that come under
the physical security okay and in the
information security we have a three
goals maintain the confidentiality
integrity and availability like I want
to make sure whatever the information we
collect it will be protect from
unauthorized disclosure it is a user who
decid this information should be
available to one person to this person
apart from that if it's available to
anyone else it's a breach of
confidentiality whatever the information
we provide it must be accurate that is
called integrity and third is it must be
available whenever it required it is
same like right you're sharing your
secret with your friend and he told
everyone will you trust him no so it's a
breach of
confidentiality you ask for some advice
and he gives some wrong advice will you
trust him again no that is a Integrity
he said okay whenever you need I will be
available and he was not available when
you need that is availability so that is
how the governance risk compliance and
inform information security works in the
organization now this is the summary
okay so here you can see corporate
governance set the Strategic objective for
for
it okay they are the one so first is set
the objectives said we also Define the
compliance requirement that we need to
comply with the legal regulat
requirement and then they basically
expecting it risk assessment report from
it but it get this assessment from the
information security
governance okay information security
governance and it implement the security
controls uh information security
governance report to CIA on the it
security metrix they do the risk
assessment end to end to make sure
things are working correctly so that
they get a reports on regular basis and
they also report the it performance so
this is basically the overall type of
governance now we're going to discuss
about a day in a life of of a GRC
analyst see in different different
company the people does different
different role okay in some company G C
analyst mean doing doing an audit work
in some company GRC analyst is the one
who does the risk assessment and the
implementation of a control so let's
understand the day of a life of a JC
analyst so you get a visibility what
kind of a role he does okay let's move
to the next
part so information security governance
I can say if you're preparing for the
cism domain one is very important I Know
It cover only
177% but that is very
important because when you're talking
about the domain one okay it's very
important for you to know the basics 17
person so approx you will get 25
questions from this and that is the best
thing about isaka what they commit they
follow if they say they give 25 question
they really me it so this module
represent the um uh the combination of
25 questions okay that you need to know
for the exam okay now before I want to
start this
section uh I want to discuss the basics
of that so I don't want to directly
start with the session so first I want
to discuss about what is information
security but as I said when you're
preparing for this cism give proper
attention to domain one because that is
the base for the rest of the
domain now here when you're talking
about information security information
security is
always an outcome of confidentiality Integrity
Integrity
availability before we jump into CIA I
want to discuss the basics of
information security so we have a two
infosec and then we have a cyers
sec information security and cyber
security cyber security is a part of
information security so you can say
information security is the
umbrella so if I say I want to protect
all type of assets then the answer is
information security but if I want to
protect only digital assets
digital digital assets then answer is
basically cyber security so let's
understand with the example so we have a
phone here this is my phone okay in the
phone we have WhatsApp chats I have a
image and all that so this is basically
protect with the password 4digit pin
that is called a cyber but I place this
phone in a physical
locker and I lock the phone with the
particular key physical key that is
called as a physical security which part
of information security now when I join
as a SEO in any organization let's say
example I join
Bank okay now they're saying PR we want
to create a value for the business and
we are expecting information security
create value for us definitely we create
a value for the business how we make
sure whatever the transactions are there
it is only available to the respective
customer so what is it meaning it mean
we maintaining a confidentiality like
this is the transaction it will be only
available to the respective customer
customer who basically own that account
and if this information go outside of
these two things so this is the bank
this is the customer and if it go to any
third person it is a breach of
confidentiality and how we achieve that
with the help of
encryptions access controls and all that
second is whatever the transactions we
are doing it should be processed without
any error so we have to ensure the
transaction should be done in a proper
manner so we maintain the hashing and
all that and third is that whenever the
user want the website to be available it
must be available that is called as
availability and forget about that today
we use this confidence CIA tried in a
real life also example like this is my
friend and I told him buddy this this is
is a issue and don't tell anyone and he
meant he makes sure he will not tell
anyone but one day what happened he told
some people and that break the trust
because he doesn't maintain the
confidentiality second thing is I ask
for the friend okay yeah how's your
marriage life you know is a marriage is
good and all that so he said yes his
marriage is heaven and all that you
should also get married so I trust his
advice and I follow the advice and what
happened is it's said I I really
appreciate but I'm just giving example
after that I don't get that friend so
that is basically called as an Integrity
he told mea whenever any issue happen I
will be available I said okay and when I
need him I called him buddy there's a
fight happen you have to be there and
after that he vanish that is called
availability issue so same like in the
organization if you fail to maintain the
confidentiality if you fail to maintain
the Integrity if you fail to maintain
the availability then it will impact the
business so your information security
outcome is maintain the confidentiality
integrity and availability and that's
why we say for educate
protection for educate protection for
information asset information security
strategy is essential and that is the
process we need to understand here now
this is the process but before I jump
into the process I want to explain you
with the example see when we're talking
about any organization right so we have
a vision
then we have a
mission and then we create an
information security strategy ISS
information security strategy you need
to understand the sequence okay
information security strategy then
information security strategy backed and
support by the information security
policy and then information security
policy include in the information
security program in the information
security program the first thing we do
risk management and based on that we
enforce the controls so this is the
sequence you need to from exam point of
view I repeat again vision of the
company Mission of the company then we
have a information security strategy
based on information security strategy
we create information security policy
policy policy will be backed in support
by the information security program
because any kind of a program you want
to introduce it should be backed and
support by the policy so program when we
create first thing we create a policy
for that by end of the day policy is a
part of program policy include in the
program but to build the program you
need a policy and when you implementing
a controls all the controls come under
the program which is include your
Incident Management patch management
everything everything part of
information security program but when to
implement how to implement which come
with the risk management and you can see
here organization has
objective so organization has decided
they want to go they so right now the
organization doing lot of offline
business they're doing offline business
but now they want to go Global okay they
want to go Global and that is only
possible when they do all the business
with the help of
website so now when they want to go by
website and all that okay so the vision
of the company is to provide dacial
services sustainability and Mission is
basically we set for the internal
stakeholders so here we have a m Vision
here we have a mission and now we
creating an organization strategy
organization strategies increase
business increase customer and all that
and then further it is divided in two parts
parts
one is called as a call maintained by
the CIO and one is maintained by the
ceso and you are here you are here CI
will ensure Cloud need to be there
technology need to be there to support
the dial business but make sure the
business need to be run in Secure manner
make make sure the technology need to be
in Secure manner this is basically we
have a ceso so ceso is the one first
thing what he do he will create a
information security strategy which
cover your security objectives like
protect the information maintain the
trust and all that and based on that
security strategy we develop the
comprehensive policy and that is where
we have a security policy policy talk
about the controls and that controls is
part of a
program can you see that program so that
something is basically there and program
will be Implement with the help of risk
management so that's why we say
organization inform the information
security manager information security
manager create information security
statut that is basically cover your
objectives and then based on objective
we create a policy and policy is
basically Define the controls for the
security program and want to implement
all the controls we need to do with the
help of risk management you can see risk
management provide the feedback based on
that we update the program program
Effectiveness we need to inform the
information security manager and
information security manager informed
the management that is how it works so
in this entire structure information
security governance play a very important
important
role okay so before that I want to disc
discuss one more important point which
give you the better visibility so this
is the blank screen but it's okay see
vision why we exist in this world that's called
called
Vision we have a
mission mission is basically the path
and then we talk about
the strategy the strategy is called as
an organization strategy okay I will
discuss further in detail all this
pointer but right now I'm just covering
a high level so organiz strategy is
there and then organization strategy is
further divid into the
IT and information security
strategy information security strategy
driven by the
SEO and it strategy driven by the I
CIO so this is called as a information
security govern and this is called as it
governance and this is is called as a
corporate governance okay so that's how
it works so ultimate goal of information
security governance is to create a value
okay ultimate goal of information
security governance is to create a value
so there's a question can be can be
asked in the exam is what is the purpose
of information security governance
establish an effective information
security program that align with the
Enterprise goals protect asset and
support the compliance that is a primary
purpose so if you get any question
talking about what is the purpose of
information security governance is to
make sure it should support the goals
protect assets and support the
compliance second is the focus will be
of information so purpose is different
focus is different focus is basically
what you're going to do so information
security governance has outcome is risk
management because it is not possible
for me to protect all the asset with the
same value so we the help of risk
management we have to prioritize
remember that okay we have to
prioritize and through that
prioritization you can able to optimize
the resource same like you know it is
not possible for you to read word by
word line by line and remember
everything to the last day of the exam
so what you do you will create a
strategy and in the strategy you create
a program study program of two weeks and
in that program the first thing you do
risk management what is important what
is not so with the help of that with the
limited resource you try to optimize
that and that limited resource you
implement you do the performance
measurement of that and more important
you integrate with the Enterprise
business that is the purpose that is a
focus of information security govern and
by doing that this by doing this you are
aligning the Enterprise goals protect
the asset and support the compliance so
what is the seesm context you have to
remember so as a CM context one thing
you need to understand here
is information security program success
rely on the strong alignment with
Enterprise overall governance leadership
support and structure approach without
leadership support you can't Implement
information security governance in the
organization so always remember one
thing without leadership support you
can't Implement program without
leadership support you can't implement
the policy without leadership support
you can't Implement any solutions but
one important requirement to get the
leadership support is that your
information security strategy should be
integrated in align with the business
objective if it's not been align with
the business objective you can't get an
approval on your program always remember
okay that's a very important part now
another important thing we need to
understand here
is yes this diagram it's very very
important for you to know okay so this
is the hierarchy we have okay now here
you can see the first part is how so
here this is the steps which talk about
how to implement the information
security in the organization okay it's
very important now first thing and I'm
going to explain with the when use case
Okay so first thing is basically called
as a determine the desire outcome see
when you preparing for cism this is your
current state and this is your desire
State desire State you want to clear the
exam current state where you stand so
it's not necessary you have to start
from zero you can do Gap assessment and
based on that you can able to prioritize
okay and this is the same thing we're
doing we determining a desire outcome so
let's say example the leadership company
is there of
ABC or aspirants identify the high level
outcome they want to achieve and these
outcomes are like including the
Safeguard of customer data meeting
compliance requirement and reduce the
risk of data breach compliance
requirement is gdpr so what aspirants
did aspirants here the outcome is like
they want to achieve the 100% outcome
of compliance with gdpr they want to
achieve the zero day vulnerability and
they want to ensure the availability of
a Services okay so that something is the
desire outcome they are expecting now
for that what we did is we defined the security
security
objectives okay security objectives that
something is part of the function now
when we're talking about the security
objectives is like you know you're
translating the outcome into the
measurable security objective on one
side you're saying you want to a the
100% compliance right so now you will
Define your security object like
implement the encryption okay deploy 24
into 7 sock conduct the monthly
vulnerability assessment that is called
Define the security objectives and then
you will see what is the current they
have okay so see here I want
to my goal is I want a 100%
compliance okay I want a zero day
vulnerabilities to be achieved like I
don't want I don't want to have any kind
of vulnerability and I want to to ensure
uninterrupted services so that is my
outcome based on the outcome I have
create a security objectives like
implement the encryption um um in you
know deploy 24 into 7 sock okay doing a
vulnerability management create a
policies and everything that's a
security objective but do we have
currently and this is basically I'm
doing a determine the current state so I
will assess the current security posture
to understand the gap between the
existing and desired State and for that
I I will do Gap assessment identify what
they have and BAS that I will identify
the and doing the risk assessment okay
like no encryption is implemented
security monitoring is manual and
vulnerability assessments are performed
once a year okay I will do the deep Deep
Gap analysis so I will identify the gap
between the current state and desire
state for example the Gap number one is
no encryption so we required
implementing a full disk encryption no
24 into 7 monitoring so we required
setting up the out sort so and third is
perform the uh in infrequent
vulnerability testing so we require
increasing of the frequency that is
basically perform the Gap analysis
between the current state and desire
State and then I will develop the
strategy to close the gap this is how
the plan how to address the identify Gap
so like encrypting a sensor data partner
with third party increase the
vulnerability scan frequency to monthly
that something is developed the strategy
to close the gap and then I will create
a road map for that I will break down
the strategy into actionable step like I
will do research of encryption tools
encrypt the sensor data onboard the sock
provider or automate the vulnerability
scanning and then finally I will Define
and develop the program with the
governance policy like I will establish
the isms Define the instant response
procedures and develop the third party
management policy and then I will manage
a program with the help of metric your
entire cism is around this area only
okay the entire cism is around this area
only so we talk about lot of time GRC
governance risk management so governance
is set of um uh process by which we set
the policy and ensure with business
objective in my previous section you
have seen how the governance work then
we have a risk management risk
management is all about identifying risk
and everything so that we can able to
treat the risk reduce risk to an
acceptable level and finally we have a
compliance compliance to the legal regul
Regulatory and organization standard so
let's say example in the previous video
Same Same example I've said is uh
company when when you join any company
you create a process you're creating a
policies that's part of governance if
you want to run any country you need to
create law law created by the ministers
and that shows the good governance
parents creating a law parents creating
a rules for your kids kids that's a
governance right but to follow the
process it's not possible for me to do
everything so I will do risk management
so governance do the risk assessment to
identify prioritize so that so that they
can able to comply with the legal regulatory
regulatory
requirement now when you're talking
about in the
isaka they follow kobit and kobit
differentiate governance with management
okay now here before I move to that I
want to discuss the CIT example so in
kit we have one thing called e
d m okay and governance so and another
thing is called as
a p b r m now what is the meaning let me explain
explain
you so when I say EDM EDM is driven by
governance governance mean corporate
governance here and
pbrm is by the management management is
CIO and ceso So Co in CIT they actually
segregate the thin land difference
between the governance and management so
in layman term you can say governance is all
all
about evaluating the need of the
stakeholder evaluate the need of
regulatory giving a directions to the CI
and Cesar and CI CES based on the plan
build run and monitor and what are the
metrics we have we provide to the
management so this is one thing you need
to know from exam perspective what so
governance is the one who set the goals
and management is the one who focus on
execution so as a cism context you need
to understand the distin distinction
between the governance and management so
in layman term you can say governance is
like a ex corporate governance
management who run the show management
is the one who manage that particular
show CIU and all that
okay that's a very important part now
when you're going for the cism it's very
important for you to know the rules so
one thing you need to understand is
these rules board board of directors one
thing you need to remember they are the
ultimately accountable for anything
whatever happening in the organization
so any question talking about who is
ultimately accountable for security
answer is board and Executives remember
that information security manager is the
one who develop communicate and manage
the strategy and policy he's the one who
developed the policy he's the one who
developed the strategy but board is the
one who approv those policies because
it's a conflict of interest third is
called a data owner so every company has
a business owner who bring business to
the organization even when you're
sending a email Men You're creating a
document you are the data owner so data
owner ensure data security policy align
with the organization needs and legal
requirement now there is one more thing
we called as a committee
committee okay one is called as a
committee and one committee you need to
know from exam point of view which is
called as security steering committee
SSC security steering committee now the
difference between the committee and the
board or management is committee is
temporary when we executing any project
for that we create a committee committee
is basically the combination of the
representative from the boards and operation
operation
team so in the
cism committee is very important because
they do the joint so example like
security manager creates a policy he
submit the policy to the committee
committee has the team of all people
technical functional
business they will share their Viewpoint
about the policy from all the vertical
see one thing is that if they review and
approve it's a very good policy if they
approve the strategy it's a very good
thing because we getting a Viewpoint
from all the people so many organization
from the security steering committee
consisting of stakeholders from many of
the organization business units
Department functions and principal
locations and they may have a variety of
responsibilities okay so if they
approving anything it's a good thing
okay because they getting a Viewpoint
for everything so that's something you
need to know from exam point of view
okay another important thing we have a
data owner and we have a Data customer
let me explain with the example so this
is your airport okay so you carry your
baggage and you're traveling from Delhi
to Goa so you tell the airline team
traveling from Delhi to Goa and my bag
has some fragile items so you are you
are the one who own the bags so same
like you are the data owner Airline team
are the one who ask about what is in a
fragile and all that and you would
inform them so Airline team is the one
who manage that baggage on behalf of you
so they are the data custodian so same
like in the company Security
administrator backup administrators they
are the one are the data custodian and
they protect data based on a data owner
data owner is the one who follow the
policy that is how the entire company
works works but when you're talking
about implementing a security governance
the most important factor which Drive
the information security governance is
culture culture is very important now
what is an example you join one
organization okay there is no culture of
reporting an
incident you join one more company
example where you can see everyone is
reporting the security issues you join
one company where you can see no one
follow the policy seriously and there is
a one company who follow pass security
policy seriously that's called the
culture culture is the foundation for
any organization okay you have a best
Security Solutions you have a best
security policy but if there's no good
culture they will not follow that so
organization culture impact the
effectiveness of information security
especially in the area of Teamworks
norms and communication so very
important you need to understand the
biggest parameter which impact
Security's culture so as a CM context
cism professional must ensure the roles
are clearly defined okay and the culture
support information security initiative
so if you get any questions talking
about what is the most important support
for information security initiatives the
answer is culture because culture
include your leadership support culture
include the people and everything okay
now let's move to the next part so as I
said if you want to build information
security governance in the organization
the first step is create a strategy
strategy is very high level okay let's
example this year my strategy is I want
to implement sock for 2024 I want to
implement VAP in 2025 27,1 2025 so I I'm
talking about the high level requirement
okay that's something documented in the
strategy and a good strategy is the one
which align with the business so we
follow some principles okay so the
purpose of strategy is to define the
objectives Define the goals and road map
one thing you need to remember okay and
the key objectives of the information
security strategy is strategic
alignment risk management value delivery
and resource optimization and as a CM
candidate you should know this so when I
say I'm implementing information
security in the organization or I saying
okay they this company has a good
security governance okay good security
governance how can you say you have a
good security governance so outcome of a
good security governance is or outcome
of a good um you know strategy is that
the first most important part of your
strategy should be aligned with the
business objective so if they give you
question is what is the primary
objective of security strategy option a
strategic alignment option b risk
management option C value delivery and
resource optimization by end of the day
by achieving this you're achieving this
only ultimately your information
security strategy should be aligned with
the business objective and for that what
we have to do is we have to do risk
management see on one side your business
is saying that with the $2,000 you you
have to protect
everything a good strategy is the one
which align with this requirement but
for that the first thing we have to do
risk management risk management is very
important because with the limited cost
you have to implement the security and
by doing risk management I'm creating a
value delivery I'm I'm I'm I'm ensuring
the security Investments benefit the
business right and last we can able to
do that with the help of optimization of
resource so you can see that outcome is
to align with business for that we do
risk management and that create a value
why because with the help of limited
resource I can able to manage everything
so outcome of a good security strategy
is this four or five outcomes so a good
strategy as I said a good strategy is
the one which clearly communicates its
value include the metrics for
performance measurement and it should be
aligned with the business see when
you're creating a security strategy you
have to also understand the legal
Regulatory and contractual requirement
okay so one thing is that compliance
compliance is nothing it's all about Act
of abiding I will give example okay
let's say
example this is the office which is in
India and I highly recommend you can
check my one governance fundamental
video which also give you a good
visibility about the governance so let's
say example I join as a
ceso so we have office in India
okay they're doing a support EU operation
operation
so they're doing a support in European
Union One of company one of country
they're supporting is
Germany okay so they have a sales team in
in
India so need your reply in the comment
box if you are doing a business in
Europe what is the primary privacy
regulation you have to follow the answer is
gdpr so you need to follow gdpr in gdpr
so many articles are there it is is it
possible for you to follow all the
Articles the answer is no okay and if
you tell the sales team hey guys have to
be follow gdpr they will basically run
away from the company because in gdpr we
have more than more than 25 30 articles
but what happen is we appoint the DPO
data privacy
officer he will interpret the gdpi
requirement and then he tell the ceso
okay buddy we need to implement this and
that controls so we implement this and
that controls on the second floor like
USB access is block camera is enabled no
one carry a smart pH so by creating a
policy creating a strategy this is part
of information security
governance okay you implement the
controls on the second floor by that you
comply with the gdpr comply is nothing
it is all about Act of abiding so if
this is the company and you're saying
you have a good governance how can you
demonstrate you comply with
certification you compliance with ISO
you compliance with everything so that's
called as an outcome of a good
governance okay and ensure the
governance with the help of security
functions so compliance is all about Act
of biding okay Privacy Law is there gdpr and everything it's very important the
and everything it's very important the difference between privacy and secrecy
difference between privacy and secrecy is privacy deal with individual
is privacy deal with individual information secrecy deal with
information secrecy deal with organization sometime when you're
organization sometime when you're creating a strategy and all that you
creating a strategy and all that you also need to consider third party
also need to consider third party management you have to contract so
management you have to contract so should be contract to third party and
should be contract to third party and contract should include data protection
contract should include data protection requirement Clauses and audit right one
requirement Clauses and audit right one thing you need to remember whenever
thing you need to remember whenever you're dealing with the vendor make sure
you're dealing with the vendor make sure service level need to be documented and
service level need to be documented and write to audit Clause should be there so
write to audit Clause should be there so both option is there select service
both option is there select service level because without service level you
level because without service level you can't do audit is it clear so whenever
can't do audit is it clear so whenever you're dealing with third party vendors
you're dealing with third party vendors make sure in the contract at the service
make sure in the contract at the service levels without service level it is
levels without service level it is difficult for you to ensure the Quality
difficult for you to ensure the Quality Security and everything regulatory
Security and everything regulatory standards we have to follow so as a cism
standards we have to follow so as a cism context you need to understand is
context you need to understand is understanding regulatory impact is
understanding regulatory impact is critical because based on regulation
critical because based on regulation only you create a security strategy okay
only you create a security strategy okay now let's say example is you need to
now let's say example is you need to implement the itions On the Border
implement the itions On the Border network but because of regulator you
network but because of regulator you can't intercept the data so your regulat
can't intercept the data so your regulat requirement impact the strategy so if
requirement impact the strategy so if you get any question around what is the
you get any question around what is the biggest impact the security strategy the
biggest impact the security strategy the answer is
answer is regulations because we follow
regulations because we follow regulations regulation will not follow
regulations regulation will not follow us understood So based on information
us understood So based on information security strategy we create a policy and
security strategy we create a policy and policies we have to do based on the risk
policies we have to do based on the risk assessment see any kind of an activity
assessment see any kind of an activity you want to do you do the policy first
you want to do you do the policy first okay so policy is a foundation we'll
okay so policy is a foundation we'll discuss in the further slide what is
discuss in the further slide what is policy okay so when you're building
policy okay so when you're building information security program so what is
information security program so what is the first step you create information
the first step you create information security strategy then you create a
security strategy then you create a policy and then you create a program
policy and then you create a program same like isms you know isms is the
same like isms you know isms is the program right but the foundation of the
program right but the foundation of the program is isms policy as per the Clause
program is isms policy as per the Clause five so your program include multiple
five so your program include multiple things the first thing is called risk
things the first thing is called risk assessment risk management program
assessment risk management program security policies awareness training all
security policies awareness training all these things inent Management program
these things inent Management program all these are part of a information
all these are part of a information security program development but the
security program development but the sequence is first we do risk assessment
sequence is first we do risk assessment identify issues based on that we
identify issues based on that we identify we need a controls to implement
identify we need a controls to implement the controls you create a policy first
the controls you create a policy first that's why if you notice policies are
that's why if you notice policies are created based on a threat profile which
created based on a threat profile which is signed by the management and
is signed by the management and understood by the employees one example
understood by the employees one example is in my previous scenario I said we
is in my previous scenario I said we need to comply with gdpr right so we
need to comply with gdpr right so we identify some controls required for gdpr
identify some controls required for gdpr so for that first we need to create a
so for that first we need to create a security policies hey guys no one
security policies hey guys no one supposed to brow social media no one's
supposed to brow social media no one's supposed to carry USB drives so here
supposed to carry USB drives so here what happened we create a policy based
what happened we create a policy based on the threat profile threat is failed
on the threat profile threat is failed to comply with gdpr emerging of threat
to comply with gdpr emerging of threat regulations and all that and then I
regulations and all that and then I communicate that policies with the help
communicate that policies with the help of awareness training awareness training
of awareness training awareness training is all about modifying the behavior
is all about modifying the behavior ultimate goal of awareness training I'm
ultimate goal of awareness training I'm going to discuss in the further slide
going to discuss in the further slide ultimate goal of awareness training is
ultimate goal of awareness training is to make the employee aware about the
to make the employee aware about the responsibility so the primary outcome of
responsibility so the primary outcome of the security program is to realize of
the security program is to realize of strategy goals and objectives now to
strategy goals and objectives now to implement the program in the
implement the program in the organization the first thing we need to
organization the first thing we need to understand the components okay so we
understand the components okay so we Define the steps we include the people
Define the steps we include the people process technology because by end of the
process technology because by end of the day PPT work together to create a value
day PPT work together to create a value and we also need to see what are the
and we also need to see what are the constraint and potential risk we have so
constraint and potential risk we have so we follow the architecture architecture
we follow the architecture architecture is a road map okay it's a structure
is a road map okay it's a structure framework which support the strategy and
framework which support the strategy and implementations and one of the framework
implementations and one of the framework we talk about is sapsa and toaf because
we talk about is sapsa and toaf because we decided we need to implement the
we decided we need to implement the program in the organization but how to
program in the organization but how to do that so one of the common framework
do that so one of the common framework we follow is sapsa let me show you an
we follow is sapsa let me show you an example okay now here you can see the
example okay now here you can see the example of sapsa but before that let me
example of sapsa but before that let me explain you one
explain you one thing see sapsa is an architecture okay
thing see sapsa is an architecture okay now what is
architecture architecture is called as a logical framework okay now what is that
logical framework okay now what is that let's say example this is your current
let's say example this is your current state okay you're not going to gym
state okay you're not going to gym you're not doing any workout you're not
you're not doing any workout you're not having a proper food neither you sleep
having a proper food neither you sleep on
on time and desire state is that you have
time and desire state is that you have to go for 5K marathon you have to go for
to go for 5K marathon you have to go for 5K marathon
5K marathon running problem is that based on current
running problem is that based on current state it's not possible so you decided
state it's not possible so you decided you need a strategy you need a program
you need a strategy you need a program but PR but strategy is like um you know
but PR but strategy is like um you know be healthy and all that and program is
be healthy and all that and program is achieve this running and all that so you
achieve this running and all that so you decided you have to go gym and all but
decided you have to go gym and all but how to do this so you need to organize
how to do this so you need to organize this blocks in a sequence and this is
this blocks in a sequence and this is where you introduce the architecture
where you introduce the architecture framework you introduce the architecture
framework you introduce the architecture framework okay first in the morning I
framework okay first in the morning I will do gym then I will do I will have a
will do gym then I will do I will have a work uh I will have a food then I will
work uh I will have a food then I will do yoga so I organize this in a block
do yoga so I organize this in a block which help me to arrange the sequence so
which help me to arrange the sequence so this timetable is called as a
this timetable is called as a architecture same like you want to
architecture same like you want to construct a house what is the first step
construct a house what is the first step so you need a doors you need a balcony
so you need a doors you need a balcony you need a sofa
you need a sofa so by following this architecture you
so by following this architecture you can get a visibility about what is a
can get a visibility about what is a resource how much money we need to spend
resource how much money we need to spend so one of the architecture is sapsa so
so one of the architecture is sapsa so they say okay you want to do something
they say okay you want to do something think first understand the business
think first understand the business perspective then you have a conceptual
perspective then you have a conceptual architecture then you have a design then
architecture then you have a design then you construct then you introduce
you construct then you introduce Solutions here which is called component
Solutions here which is called component and then you manage them so saps and
and then you manage them so saps and toaf are one of the Frameworks that we
toaf are one of the Frameworks that we follow okay don't worry in the exam you
follow okay don't worry in the exam you don't need to know each and every
don't need to know each and every component but you need to have
component but you need to have visibility what is the name of an
visibility what is the name of an architecture or driven architecture
architecture or driven architecture security architecture which align with
security architecture which align with the business and sapsa is basically one
the business and sapsa is basically one of them and there's a dedicated video I
of them and there's a dedicated video I made on sapsa if you want to really
made on sapsa if you want to really understand detail you can check that so
understand detail you can check that so saps to is important so as a cism
saps to is important so as a cism professional you should adapt to create
professional you should adapt to create a road map that factor the organization
a road map that factor the organization constraint and align with the security
constraint and align with the security architecture another important thing in
architecture another important thing in the program we have a data
the program we have a data classification see it's not possible for
classification see it's not possible for me to protect all the data with the same
me to protect all the data with the same value so we BAS basically understand the
value so we BAS basically understand the value of the data and according to that
value of the data and according to that we produ same like you know your ward
we produ same like you know your ward drops in your house you have two type of
drops in your house you have two type of clothes one cloth that you wear for uh
clothes one cloth that you wear for uh anniversaries events and all that and
anniversaries events and all that and one cloth you're wearing in a house and
one cloth you're wearing in a house and all that definitely you give more
all that definitely you give more attention to the the things that you buy
attention to the the things that you buy outside according to that you will spend
outside according to that you will spend money also on those clothes right so
money also on those clothes right so same like you have a pi
same like you have a pi data and you have a business data you
data and you have a business data you have a operation data let's say example
have a operation data let's say example for you Pi is very important because if
for you Pi is very important because if you don't protect Pi data it can be have
you don't protect Pi data it can be have a big impact so here we decide the base
a big impact so here we decide the base on a value value is toward the
on a value value is toward the regulation okay so data classification
regulation okay so data classification when you classify the most important
when you classify the most important factor is how much it value to the
factor is how much it value to the business and this is basically where I
business and this is basically where I want to add my ceso advice when you're
want to add my ceso advice when you're talking about any organization we only
talking about any organization we only have a three type of data one is called
have a three type of data one is called regulated data one is called business
regulated data one is called business data and one is called as an operational
data and one is called as an operational data by end of the day any company you
data by end of the day any company you take this is the only classification we
take this is the only classification we have any data which Rel to regulation
have any data which Rel to regulation come under regulated data your trade
come under regulated data your trade secrets and everything will part of
secrets and everything will part of business data and operational data is
business data and operational data is like you know logs and everything
like you know logs and everything ultimately we cannot able to give
ultimately we cannot able to give attention to same all so we classify and
attention to same all so we classify and categorize but the most important
categorize but the most important parameter based on which we classifies
parameter based on which we classifies value value is also two type qualitative
value value is also two type qualitative and quantitative an ultimate goal of
and quantitative an ultimate goal of data classification is to ensure the
data classification is to ensure the data should receive the appropriate
data should receive the appropriate level of
level of security okay and and classific
security okay and and classific ification is a foundation for any data
ification is a foundation for any data management so data classification when
management so data classification when you're talking about here
you're talking about here is okay proper classification underpin
is okay proper classification underpin data protection effort and see some
data protection effort and see some professional need to ensure the
professional need to ensure the classification align with the business
classification align with the business standards okay so we have some standards
standards okay so we have some standards that you need to know like cobit is
that you need to know like cobit is there cobit is a framework okay so you
there cobit is a framework okay so you here you need to understand what is the
here you need to understand what is the difference between the
difference between the framework and
framework and standard what is the difference between
standard what is the difference between the framework and standard framework is
the framework and standard framework is a logical structure standard is a
a logical structure standard is a requirement first we adopt the framework
requirement first we adopt the framework and then we go for standard let's say
and then we go for standard let's say example I want to implement information
example I want to implement information security in the
security in the organization I don't know anything so I
organization I don't know anything so I will adopt CI uh this called um nist
will adopt CI uh this called um nist framework
framework nist uh this is called cisa framework
nist uh this is called cisa framework and one of the framework requirement is
and one of the framework requirement is you need to have a password management
you need to have a password management now here based on my experience I can
now here based on my experience I can say password should be8
say password should be8 character but I'm looking for the
character but I'm looking for the universal exal so in that case nist also
universal exal so in that case nist also have a standard 00 uh particular things
have a standard 00 uh particular things so they talk about 14 character is a
so they talk about 14 character is a minimum secure passport ISO say that 8
minimum secure passport ISO say that 8 character is a secure password that's
character is a secure password that's called as a standard same like I want a
called as a standard same like I want a TV that is a necessity of my house that
TV that is a necessity of my house that is called as a framework but I want to
is called as a framework but I want to go for lgtv that is a standard so
go for lgtv that is a standard so framework can be customized modified as
framework can be customized modified as for the business requirement but
for the business requirement but standard come with the certification
standard come with the certification standard come with the mandatory
standard come with the mandatory requirement standard is just English
requirement standard is just English word it mean uniform across the
word it mean uniform across the organization okay so CIT is a framework
organization okay so CIT is a framework which align the ID with business is 2701
which align the ID with business is 2701 is a standard for information security
is a standard for information security and toaf is a framework so by and that's
and toaf is a framework so by and that's I said if you want to implement the
I said if you want to implement the program you have a zero visibility you
program you have a zero visibility you can start with the framework first so by
can start with the framework first so by applying a framework you can able to
applying a framework you can able to align the business objectives and
align the business objectives and everything so as a cism
everything so as a cism candidate as a cism candidate you must
candidate as a cism candidate you must know how to apply the Frameworks
know how to apply the Frameworks effectively to develop the governance
effectively to develop the governance models that support the organization
models that support the organization resilience that's a very important part
resilience that's a very important part now next important thing we talk about
now next important thing we talk about the information security metrix
the information security metrix definitely once you implement the
definitely once you implement the program you have to measure the program
program you have to measure the program okay and for that we introduce a matrix
okay and for that we introduce a matrix now if you get a question in the exam
now if you get a question in the exam what is the ultimate purpose of Matrix I
what is the ultimate purpose of Matrix I repeat what is the ultimate purpose of
repeat what is the ultimate purpose of Matrix so answer is measure the
Matrix so answer is measure the effectiveness of information security
effectiveness of information security strategy that's it ultimate goal of
strategy that's it ultimate goal of Matrix is measure the effectiveness of
Matrix is measure the effectiveness of the security strategy and the key
the security strategy and the key metrics are inant response time
metrics are inant response time compliance rates V ability metrics it's
compliance rates V ability metrics it's very important you have to regularly
very important you have to regularly track this progress and according to
track this progress and according to that you need to improve the program
that you need to improve the program that's a very important part is it clear
that's a very important part is it clear and another important thing is the
and another important thing is the metrics are essential to demonstrate the
metrics are essential to demonstrate the success of security initiatives example
success of security initiatives example like I've conducted a security awareness
like I've conducted a security awareness program um last week so before awareness
program um last week so before awareness program 50 people report incident after
program 50 people report incident after awareness program 70 that's good number
awareness program 70 that's good number that matter Matrix help me to give the
that matter Matrix help me to give the value okay we conducted awareness
value okay we conducted awareness session before awareness session we have
session before awareness session we have 50 and after awareness session people
50 and after awareness session people reporting more insurent which is called
reporting more insurent which is called 70 so this is how I'm demonstrating the
70 so this is how I'm demonstrating the success of anything okay so one thing
success of anything okay so one thing need to remember is ultimate purpose the
need to remember is ultimate purpose the primary purpose of metric is demonstrate
primary purpose of metric is demonstrate the effectiveness of information
the effectiveness of information security strategy and metrix are
security strategy and metrix are demonstrating the security initiatives
demonstrating the security initiatives that something is there now if you want
that something is there now if you want to convey any kind of a security
to convey any kind of a security solution to the board the one document
solution to the board the one document that we prepare is business case this is
that we prepare is business case this is a very important topic for the exam
a very important topic for the exam business case provide the value let's
business case provide the value let's say example I did the risk assessment I
say example I did the risk assessment I did the Gap assessment and I identify I
did the Gap assessment and I identify I want a
want a firewall now I cannot simply go with the
firewall now I cannot simply go with the risk assessment results to the board so
risk assessment results to the board so here I will present the business case in
here I will present the business case in business case I will include the risk
business case I will include the risk assessment data value propositions and
assessment data value propositions and everything and this is the exam question
everything and this is the exam question so risk assessment is part of business
so risk assessment is part of business case business case part of risk no risk
case business case part of risk no risk assessment is a part of business case
assessment is a part of business case business case is a document that you
business case is a document that you submit to the board you demonstrate to
submit to the board you demonstrate to the board like why security is
the board like why security is important so one important talk about
important so one important talk about the business case clear rational for
the business case clear rational for security investment now what is the
security investment now what is the element in business case Define the
element in business case Define the problem current State financial
problem current State financial implications risk benefit
implications risk benefit analysis again I'm telling you business
analysis again I'm telling you business case should be simple and easy to
case should be simple and easy to understand and you are a subject matter
understand and you are a subject matter of information
of information security you know how to present the
security you know how to present the facts so any document which propos a
facts so any document which propos a security Investments the answer is
security Investments the answer is business
business case same like now you're looking for
case same like now you're looking for the cism training right so you
the cism training right so you presenting a business case to the board
presenting a business case to the board see we want to go for cism training by
see we want to go for cism training by this we can able to manage this kind of
this we can able to manage this kind of a resource we can able to manage this
a resource we can able to manage this kind of project by doing this training
kind of project by doing this training we can increase a business from this
we can increase a business from this particular parameter to this particular
particular parameter to this particular parameter so business case providing a
parameter so business case providing a justification of your security
justification of your security initiative
initiative okay that's a very important part so as
okay that's a very important part so as a CM context you should often create a
a CM context you should often create a business case to justify the security
business case to justify the security spending and a good business case is the
spending and a good business case is the one which align with the business goals
one which align with the business goals a good business case a good business
a good business case a good business security case is the one which align
security case is the one which align with the business goals if it's not
with the business goals if it's not align they will not
align they will not approve always remember is it clear
approve always remember is it clear that's that's a important part of the
that's that's a important part of the requirement okay that's a very important
requirement okay that's a very important part of a
part of a requirement and when you're talking
requirement and when you're talking about the business case so then we move
about the business case so then we move to strategic planning so when you talk
to strategic planning so when you talk about strategic planning we have some
about strategic planning we have some activities for the continuous like we do
activities for the continuous like we do the awareness trainings okay the
the awareness trainings okay the difference between awareness and
difference between awareness and training is awareness modify behavior
training is awareness modify behavior training modify the skill okay so we
training modify the skill okay so we have to make sure we have a skill
have to make sure we have a skill development task as I said I was in an
development task as I said I was in an impression that okay 8 character
impression that okay 8 character password is a secure password so I was
password is a secure password so I was using 1 2 3 4 5 6 7 8 but in the
using 1 2 3 4 5 6 7 8 but in the awareness I got to know it should be
awareness I got to know it should be combination alpha numeric I was it
combination alpha numeric I was it consultant moving to security so that is
consultant moving to security so that is where I attend the CM training which
where I attend the CM training which modify my skill one thing you need to
modify my skill one thing you need to understand every company has a skill
understand every company has a skill metrics chart skill metrics chart so
metrics chart skill metrics chart so this is called a skill metrics chart
this is called a skill metrics chart okay which maintain the skill set but
okay which maintain the skill set but one is that we we have a skill set but
one is that we we have a skill set but do we have a educate person on that
do we have a educate person on that skill set and if yes what is a level so
skill set and if yes what is a level so that's something we check with the help
that's something we check with the help of Competency score skill is something
of Competency score skill is something what you need to carry to perform the
what you need to carry to perform the task but do you have that level of
task but do you have that level of skills that come from the knowledge what
skills that come from the knowledge what is the level of knowledge we assess with
is the level of knowledge we assess with the help of Competency chart competency
the help of Competency chart competency chart talk about how much we have a
chart talk about how much we have a knowledge about the skill and and we
knowledge about the skill and and we have an inventory which is called skill
have an inventory which is called skill inventory so project manager check the
inventory so project manager check the skill inventory then from the skill
skill inventory then from the skill inventory he check how many people are
inventory he check how many people are there on that competency of skills and
there on that competency of skills and according to that they allocate the
according to that they allocate the project so as a as a cism context you
project so as a as a cism context you need to understand here is as a cism
need to understand here is as a cism context you need to understand here is
context you need to understand here is that continuous education string the
that continuous education string the human element because who is the weakest
human element because who is the weakest link in the organization people people
link in the organization people people are the weakest link okay and that can
are the weakest link okay and that can be addressed with the help awareness
be addressed with the help awareness training so always remember from exam
training so always remember from exam point of view the most effective control
point of view the most effective control for social engineering password sharing
for social engineering password sharing is security awareness program because
is security awareness program because even you have a strong password okay but
even you have a strong password okay but you're a victim of social engineering
you're a victim of social engineering then there's no point of having that
then there's no point of having that solution so most effective control
solution so most effective control against the social engineering is
against the social engineering is awareness program okay now another
awareness program okay now another important part we need to discuss is
important part we need to discuss is risk management process okay so next
risk management process okay so next part is risk management we're going to
part is risk management we're going to have a dedicated module on the risk
have a dedicated module on the risk management but in the domain one they
management but in the domain one they talk about basics of risk
talk about basics of risk management risk management ultimate goal
management risk management ultimate goal is reduce the risk to an acceptable
is reduce the risk to an acceptable level but when we talking about risk
level but when we talking about risk management it is driven based on three
management it is driven based on three factors
factors appetite tolerance and capacity and the
appetite tolerance and capacity and the one thing which is variable in nature is
one thing which is variable in nature is tolerance so let me explain with the
tolerance so let me explain with the example so risk capacity mean maximum
example so risk capacity mean maximum risk organization can handle
risk organization can handle risk appetite is level of risk
risk appetite is level of risk organization willing to accept and risk
organization willing to accept and risk tolerance is an
tolerance is an acceptable deviation from the appetite
acceptable deviation from the appetite very very important same statements is
very very important same statements is very important
very important okay let's take example I'm withdrawing
okay let's take example I'm withdrawing every month salary which is
every month salary which is $1,000 that is my salary that is a
$1,000 that is my salary that is a maximum salary I'm getting in a month
maximum salary I'm getting in a month and that's a maximum I can invest in a
and that's a maximum I can invest in a month that is my risk
month that is my risk capacity okay I decided from the, to
capacity okay I decided from the, to $100 on my
$100 on my training it's not fixed but it is the
training it's not fixed but it is the thing which I defined my boundary that
thing which I defined my boundary that is my risk
is my risk appetite and the current training I'm
appetite and the current training I'm taking which is a $150 that is my
taking which is a $150 that is my current risk tolerance which I'm okay to
current risk tolerance which I'm okay to lose but there's a one new training is
lose but there's a one new training is coming which cost me $250 in that case
coming which cost me $250 in that case my risk tolerance going beyond the
my risk tolerance going beyond the appetite but thankfully it is not going
appetite but thankfully it is not going beyond the
beyond the capacity okay so I will analyze
capacity okay so I will analyze everything before taking this Final Call
everything before taking this Final Call okay so when we talking about about risk
okay so when we talking about about risk treatment which is called acceptance
treatment which is called acceptance transfer
transfer mitigation avoidance all these factors
mitigation avoidance all these factors are decided based on the risk capacity
are decided based on the risk capacity epid and tolerance always remember okay
epid and tolerance always remember okay so the maximum risk the organization can
so the maximum risk the organization can handle so in this case $1,000 is the
handle so in this case $1,000 is the maximum risk $200 is basically my risk
maximum risk $200 is basically my risk Apper time and 150 is my risk tolerance
Apper time and 150 is my risk tolerance okay so it can go above the 200 so by
okay so it can go above the 200 so by end of the day risk tolerance defined my
end of the day risk tolerance defined my function so if you are a startup
function so if you are a startup okay you don't have anything to lose so
okay you don't have anything to lose so in that case you have a high risk
in that case you have a high risk tolerance but if establish company in
tolerance but if establish company in that case you have a low risk tolerance
that case you have a low risk tolerance okay same like now when you started your
okay same like now when you started your journey in cyber you have nothing to
journey in cyber you have nothing to lose so you have a more risk tolerance
lose so you have a more risk tolerance you take more risk but when you have a
you take more risk but when you have a commitment liabilities and everything
commitment liabilities and everything you'll think twice so if you have a low
you'll think twice so if you have a low risk tolerance you okay to invest more
risk tolerance you okay to invest more money on the controls when you have a
money on the controls when you have a higher risk tolerance in that case you
higher risk tolerance in that case you okay to accept risk compared to accept
okay to accept risk compared to accept the controls so anything go beyond the
the controls so anything go beyond the capacity you avoid that particular
capacity you avoid that particular business let's take another example the
business let's take another example the speed limit set by the government is
speed limit set by the government is 200 the maximum speed you can go to
200 the maximum speed you can go to 1,000 the current speed is your 150 that
1,000 the current speed is your 150 that is again the parameter and you decide
is again the parameter and you decide everything when you start your car from
everything when you start your car from the house is it clear you want to go
the house is it clear you want to go airport you know in 1 hour you cannot
airport you know in 1 hour you cannot reach even you go by thousand so you
reach even you go by thousand so you drop the idea that's how you prioritize
drop the idea that's how you prioritize the things so risk in Risk Management we
the things so risk in Risk Management we have risk as identification
have risk as identification analysis evaluation treatment is it
analysis evaluation treatment is it clear so one thing we need to understand
clear so one thing we need to understand here is season practition play Vital
here is season practition play Vital role in balancing a risk by ensuring it
role in balancing a risk by ensuring it aligned with the organization risk
aligned with the organization risk tolerance and capacity and based on
tolerance and capacity and based on appetite we take the
appetite we take the calls always remember one thing
calls always remember one thing practitioner is the one who assess the
practitioner is the one who assess the parameters and based on that they take a
parameters and based on that they take a call okay so we have to avoid some
call okay so we have to avoid some common governance pitfalls when you
common governance pitfalls when you implementing a security strategy we
implementing a security strategy we follow some challenges the first is
follow some challenges the first is technical
technical complexities with which can limit the
complexities with which can limit the understanding adoption of new security
understanding adoption of new security and everything secondly sometime budget
and everything secondly sometime budget constraints are there I want to
constraints are there I want to implement new things but we have a
implement new things but we have a budget constraint and because of that
budget constraint and because of that with difficult to us to implement third
with difficult to us to implement third is conflicting business priorities
is conflicting business priorities that's another important
that's another important concern so as a as a season context you
concern so as a as a season context you need to understand is you need to aware
need to understand is you need to aware about the challenge which help the
about the challenge which help the season professional to proactively
season professional to proactively address and security bind from the
address and security bind from the leaderships that's a very important
leaderships that's a very important part now we have some other challenge
part now we have some other challenge also like complex cities and budget
also like complex cities and budget constraints so here you need to balance
constraints so here you need to balance the cost and Effectiveness security you
the cost and Effectiveness security you need to conflicting the business
need to conflicting the business priorities because insuring security
priorities because insuring security doesn't hinder the business operations
doesn't hinder the business operations okay and third is without CA management
okay and third is without CA management we can't Implement anything so that's
we can't Implement anything so that's the most important part okay it's a most
the most important part okay it's a most important part so if you get all three
important part so if you get all three options select high level sponsorship
options select high level sponsorship because without leadership support you
because without leadership support you can't implement the information security
can't implement the information security governance in the
governance in the organization now next is called periodic
organization now next is called periodic reporting so regular updates on security
reporting so regular updates on security post is very important because that
post is very important because that bring the
bring the transparency and for that you need to
transparency and for that you need to have a proper communication because
have a proper communication because without communication you cannot get the
without communication you cannot get the approvals so strong Communications
approvals so strong Communications skills are crucial for cism role as it
skills are crucial for cism role as it they often needed to be articulated the
they often needed to be articulated the complex security issues in a more
complex security issues in a more effective manner that's a very important
effective manner that's a very important part so this is all in the domain one
part so this is all in the domain one okay let's move to the domain
okay let's move to the domain two so now we are moving to domain two
two so now we are moving to domain two information security risk management
information security risk management uh when talking about information
uh when talking about information security risk
security risk management uh 20% is testable from the
management uh 20% is testable from the domain two and approx 30 questions we
domain two and approx 30 questions we can expect from domain 2 30 questions
can expect from domain 2 30 questions exactly now when you're talking about
exactly now when you're talking about risk management information security
risk management information security risk management ultimate goal of risk
risk management ultimate goal of risk management is to reduce risks to an
management is to reduce risks to an acceptable level so if you get any
acceptable level so if you get any question on topic around what is
question on topic around what is ultimate goal of risk management answer
ultimate goal of risk management answer is ultimate goal of risk management is
is ultimate goal of risk management is to reduce a risk to an acceptable level
to reduce a risk to an acceptable level now one thing we need to understand and
now one thing we need to understand and we have to understand the
we have to understand the process so before we move uh we need to
process so before we move uh we need to discuss high level what is risk
discuss high level what is risk management process so and let me explain
management process so and let me explain you
you that so under risk
that so under risk management we have a first thing called
management we have a first thing called risk
risk identification second is called as a
risk analysis third is called as a risk evaluation and fourth is called as a
evaluation and fourth is called as a risk treatment so we have a four-step
risk treatment so we have a four-step process now if you take a example of
process now if you take a example of risk identification risk identification
risk identification risk identification include identifying
include identifying asset identifying
asset identifying threats identifying
threats identifying vulnerability under the risk analysis we
vulnerability under the risk analysis we have a two steps
have a two steps qualitative and quantitative
qualitative and quantitative because if you talking about R
because if you talking about R identification threats are something
identification threats are something called as an action that you perform and
called as an action that you perform and vulnerability is called as a weakness so
vulnerability is called as a weakness so this is my server a okay and the server
this is my server a okay and the server is configured with weak password weak
is configured with weak password weak password so there is a possibility
password so there is a possibility hacker can exploit this weak password
hacker can exploit this weak password and through which he gain access to the
and through which he gain access to the system so hacker is a threat actor for
system so hacker is a threat actor for performing an action weak password is a
performing an action weak password is a vulnerability we exploit and through
vulnerability we exploit and through which we gain access to the system and
which we gain access to the system and access to the data access to data is
access to the data access to data is basically a risk if someone can gain
basically a risk if someone can gain access
access and whenever we calculate risk we use a
and whenever we calculate risk we use a formula called likelihood and impact
formula called likelihood and impact likelihood probability of happening and
likelihood probability of happening and impact is if it happen what is the
impact is if it happen what is the impact so in Risk identification stage
impact so in Risk identification stage we identify asset we identify threats we
we identify asset we identify threats we identify vulnerability but we need to
identify vulnerability but we need to understand the level of impact and there
understand the level of impact and there is a two way to calculate the level of
is a two way to calculate the level of impact qualitative or quantitative
impact qualitative or quantitative qualitative where we use high low medium
qualitative where we use high low medium and quantitative where we use the
and quantitative where we use the numbers SLE Al o and then that results
numbers SLE Al o and then that results we're going to evaluate we evaluate the
we're going to evaluate we evaluate the results with the
results with the capacity with the appetite and with the
capacity with the appetite and with the herb tolerance and based on that we
herb tolerance and based on that we decide to take a treatment we'll discuss
decide to take a treatment we'll discuss in the further slide ultimate goal is to
in the further slide ultimate goal is to reduce risk to an acceptable level that
reduce risk to an acceptable level that is the ultimate goal we have remember
is the ultimate goal we have remember that now here we're talking about the
that now here we're talking about the risk identification so when you talking
risk identification so when you talking risk identification uh it's all about
risk identification uh it's all about identifying all assets threats and
identifying all assets threats and vulnerability including a third party
vulnerability including a third party risk and address the potential impact
risk and address the potential impact now we have a different type of threat
now we have a different type of threat we have internal threats like Insider
we have internal threats like Insider poor configuration lack of
poor configuration lack of awareness and external threats are
awareness and external threats are called as cyber attacks APS and natural
called as cyber attacks APS and natural disaster let me give you another example
disaster let me give you another example of threat and vulnerability let's say
of threat and vulnerability let's say example you have a weakness you cannot
example you have a weakness you cannot say no for anything you're very
say no for anything you're very introvert guy you cannot say no to
introvert guy you cannot say no to anything now some relatives use that an
anything now some relatives use that an opportunity and one day what happen they
opportunity and one day what happen they say see we bring a marriage proposal for
say see we bring a marriage proposal for you and because you have a vulnerability
you and because you have a vulnerability that okay you cannot say no to anything
that okay you cannot say no to anything default you accepted that and what was
default you accepted that and what was the impact see likelihood will be high
the impact see likelihood will be high the relative will come to your house and
the relative will come to your house and they can propose you any marriage
they can propose you any marriage proposal and all that and if you say yes
proposal and all that and if you say yes the impact is basically high so that's
the impact is basically high so that's called the threat is an action
called the threat is an action vulnerability is a weakness okay so
vulnerability is a weakness okay so internal threat Insider threats po
internal threat Insider threats po configurations and all that external
configurations and all that external threat cyber attacks AP and all that and
threat cyber attacks AP and all that and for the emerging threats we have a AP AP
for the emerging threats we have a AP AP is something very very important you
is something very very important you should know from exam perspective at
should know from exam perspective at advanced persistent threats okay so they
advanced persistent threats okay so they basically hack the servers they hack the
basically hack the servers they hack the network and maintain the persistent
network and maintain the persistent access of the
access of the organization so what is the learning we
organization so what is the learning we have from the cesm context perspective
have from the cesm context perspective so when you're talking about from a cesm
so when you're talking about from a cesm context
context perspective as a CM it is crucial to
perspective as a CM it is crucial to have an in-depth understanding of the
have an in-depth understanding of the threat landscape and proactive in
threat landscape and proactive in identifying and mitigating new risk okay
identifying and mitigating new risk okay so first step in the risk management is
so first step in the risk management is risk identification it's all about
risk identification it's all about identifying assets
okay and assess the Potential Threat and using a historical to create a risk
using a historical to create a risk scenario now second is Step called as a
scenario now second is Step called as a risk assessment process where we
risk assessment process where we evaluate the potential impact and
evaluate the potential impact and likelihood of each identified threats
likelihood of each identified threats including assets threat Source
including assets threat Source vulnerabilities and operations we do the
vulnerabilities and operations we do the two level of assessment here also
two level of assessment here also vulnerability assessment and threat
vulnerability assessment and threat analysis vulnerability assessment is all
analysis vulnerability assessment is all about identifying the vulnerability so
about identifying the vulnerability so let's say example this is my system a
let's say example this is my system a this is my system B
this is my system B so we identifying the weak password we
so we identifying the weak password we identifying known configuration we we
identifying known configuration we we running a tool the tool maintaining a
running a tool the tool maintaining a signature of known vulnerability we
signature of known vulnerability we apply those signature on the system to
apply those signature on the system to identify the
identify the vulnerability okay and from there also
vulnerability okay and from there also we identify the threats so vulnerability
we identify the threats so vulnerability assessment identifying weak points but
assessment identifying weak points but exploiting the vulnerability gain access
exploiting the vulnerability gain access to system that is called PT so we do
to system that is called PT so we do also do threat analysis where we examine
also do threat analysis where we examine threats that could exploit the
threats that could exploit the vulnerabilities that something is there
vulnerabilities that something is there moving to ahead we also talking about
moving to ahead we also talking about risk register very very important this
risk register very very important this is something we create in Risk
is something we create in Risk identification stage it is a centralized
identification stage it is a centralized document which document all the
document which document all the identified risk asset threats and
identified risk asset threats and control and it's a live document live it
control and it's a live document live it is a live document that we follow
is a live document that we follow throughout the risk management and the
throughout the risk management and the entire operations two major benefit of
entire operations two major benefit of risk register is that it it is a
risk register is that it it is a centralized document so all team can see
centralized document so all team can see this and according to that they get a
this and according to that they get a holistic view about the risk second is
holistic view about the risk second is basically we create this in a first
basically we create this in a first stage which is called risk
stage which is called risk identification stage so risk
identification stage so risk identification stage itself is a very
identification stage itself is a very critical because risk identification
critical because risk identification assessment process is a foundation and
assessment process is a foundation and cism are responsible for establishing
cism are responsible for establishing maintaining a comprehensive risk
maintaining a comprehensive risk register it's a live document which
register it's a live document which maintain and document all the risk and
maintain and document all the risk and all Department see that risk register
all Department see that risk register and take the unified
and take the unified decisions now vulnerability and control
decisions now vulnerability and control deficiency see in a risk identification
deficiency see in a risk identification we identifying assets we identifying the
we identifying assets we identifying the vulnerability so vulnerability
vulnerability so vulnerability identification is very important so we
identification is very important so we have to regularly assess the
have to regularly assess the vulnerability due to the weak controls
vulnerability due to the weak controls out softwares and lack of security
out softwares and lack of security policies one thing I want to go bit off
policies one thing I want to go bit off the topic is every company go for VA
the topic is every company go for VA vulnerability assessment but not every
vulnerability assessment but not every company go for PT and the reason is very
company go for PT and the reason is very simple is vulnerability management
simple is vulnerability management process is closely work with patch
process is closely work with patch management process that's why
management process that's why vulnerability management practice we
vulnerability management practice we follow but we don't go for the PT
follow but we don't go for the PT because aggressive PT can impact the
because aggressive PT can impact the availability and when we're doing a
availability and when we're doing a vulnerability assessment we do against a
vulnerability assessment we do against a security control Baseline okay so we
security control Baseline okay so we what is Baseline minimum security
what is Baseline minimum security settings we need in a system let's say
settings we need in a system let's say example we decided we need to implement
example we decided we need to implement a password eight character is a password
a password eight character is a password that's a standard but alpha numeric is a
that's a standard but alpha numeric is a minimum thing I need in the eight
minimum thing I need in the eight character passord that's a baseline so
character passord that's a baseline so whenever we're talking about technology
whenever we're talking about technology Baseline whenever we're talking about
Baseline whenever we're talking about technology Baseline is very important I
technology Baseline is very important I will give one more example here is let's
will give one more example here is let's say example uh this is my system okay I
say example uh this is my system okay I want the antivirus that's a minimum okay
want the antivirus that's a minimum okay and I want password so antivir should be
and I want password so antivir should be signature based that's a minimum
signature based that's a minimum Baseline I need I cannot go below that
Baseline I need I cannot go below that so when you're talking about security
so when you're talking about security control Baseline establish the minimum
control Baseline establish the minimum standard for controls to ensure
standard for controls to ensure consistent security across the
consistent security across the organization and how we validate that
organization and how we validate that with the help of audit so here one thing
with the help of audit so here one thing you need to understand is audit play a
you need to understand is audit play a very important
very important role okay let's say example we have a
role okay let's say example we have a customer and here we have a
customer and here we have a vendor customer is looking for a Cloud
vendor customer is looking for a Cloud solution vendor has give him an
solution vendor has give him an assurance that we have ocate security
assurance that we have ocate security controls vendor has assured the customer
controls vendor has assured the customer we have ocate security controls so First
we have ocate security controls so First Fundamental principle you need to
Fundamental principle you need to remember in cism writing it does not
remember in cism writing it does not mean it happens go look and verify I
mean it happens go look and verify I repeat again writing it does not mean it
repeat again writing it does not mean it happens go look and verify so even they
happens go look and verify so even they provide me in document that there is a
provide me in document that there is a security controls we validate that
security controls we validate that control with the help of audit that is
control with the help of audit that is why audit is very important so when you
why audit is very important so when you draft the contract you add the right to
draft the contract you add the right to audit Clause so regular audit is
audit Clause so regular audit is important and any kind of a control
important and any kind of a control deficiencies there we can able to
deficiencies there we can able to prioritize based on remediation based on
prioritize based on remediation based on impact cost and Threat Level that's
impact cost and Threat Level that's something we always look for another
something we always look for another important thing uh we always try is as a
important thing uh we always try is as a CSM professional we should focus on
CSM professional we should focus on setting up the Baseline which align with
setting up the Baseline which align with the risk tolerance and risk appetite of
the risk tolerance and risk appetite of an organization because based on level
an organization because based on level of risk tolerance we can take a call as
of risk tolerance we can take a call as I said if the company is new risk
I said if the company is new risk tolerance is high if the company is old
tolerance is high if the company is old risk tolerance is low or the company if
risk tolerance is low or the company if they have a low risk tolerance they
they have a low risk tolerance they invest more money on the controls
invest more money on the controls because they don't want to take much
because they don't want to take much risk so one more important thing you
risk so one more important thing you need to understand risk
need to understand risk versus
versus incident incident is a confirm action
incident incident is a confirm action the person already failed this exam
the person already failed this exam that's an incident but if you don't
that's an incident but if you don't prepare this or don't prepare that you
prepare this or don't prepare that you might fail this exam with the risk the
might fail this exam with the risk the word come is might
word come is might might might okay so one thing you need
might might okay so one thing you need to understand it is based on a company
to understand it is based on a company risk tolerance we take all the
risk tolerance we take all the initiatives based on risk appetite we
initiatives based on risk appetite we Define the controls okay so either risk
Define the controls okay so either risk tolerance will be the best answer or
tolerance will be the best answer or either risk appetite is the best answer
either risk appetite is the best answer because ultimately within a risk
because ultimately within a risk appetite we take all the calls that's
appetite we take all the calls that's why we said here is CSM professional
why we said here is CSM professional should focus on setting up the Baseline
should focus on setting up the Baseline align with the organization risk
align with the organization risk tolerance and on regular B basis we
tolerance and on regular B basis we validate to make sure this tolerance
validate to make sure this tolerance will be below the appetite level it
will be below the appetite level it should not go above the appetite level
should not go above the appetite level okay so now we understood okay we have a
okay so now we understood okay we have a threats we have a assets we have a
threats we have a assets we have a vulnerability but we need to understand
vulnerability but we need to understand the level of impact and here the level
the level of impact and here the level of impact is called as a three- way to
of impact is called as a three- way to calculate so we have a so we have a
calculate so we have a so we have a three type of analysis qualitative
three type of analysis qualitative quantitative and uh
quantitative and uh hybrid now when you say qualitative
hybrid now when you say qualitative analysis qualitative we evaluate the
analysis qualitative we evaluate the impact and likelihood in a description
impact and likelihood in a description term descriptive term like high low
term descriptive term like high low medium so if the keyword is impact and
medium so if the keyword is impact and likelihood descriptive answer is
likelihood descriptive answer is qualitative risk assessment second is
qualitative risk assessment second is called as a quantitative where we
called as a quantitative where we calculate the impact in terms of
calculate the impact in terms of monetary value and here we use a formula
monetary value and here we use a formula called Al so we have a formula called
called Al so we have a formula called exposure
exposure Factor we have a SLE and we have a Al
Factor we have a SLE and we have a Al the first thing what we calculate is the
the first thing what we calculate is the SLE single loss expectancy which is
SLE single loss expectancy which is equal to asset value into exposure
equal to asset value into exposure Factor then we have a Al annual loss
Factor then we have a Al annual loss expectancy the formula is basically SLE
expectancy the formula is basically SLE into AR okay so these are the formulas
into AR okay so these are the formulas we are using to calculate the impact
we are using to calculate the impact let's say example there's a company and
let's say example there's a company and um they're doing a business and they're
um they're doing a business and they're generating a $10,000 value every year
generating a $10,000 value every year hypothetical scenario so that is my
hypothetical scenario so that is my asset
asset value okay so now we have a we need to
value okay so now we have a we need to calculate the SLE so asset value is
calculate the SLE so asset value is $10,000 okay exposure Factor you know
$10,000 okay exposure Factor you know when we have no exposure Factor we
when we have no exposure Factor we always keep
always keep 100% so exposure 100 for is one incident
100% so exposure 100 for is one incident happen the cost me $10,000 if it's
happen the cost me $10,000 if it's happening once in a year 10,000 if
happening once in a year 10,000 if happen two two times in a year and 2,000
happen two two times in a year and 2,000 so 20,000 so SLE is become $10,000 AR it
so 20,000 so SLE is become $10,000 AR it happened once in a year so overall Al is
happened once in a year so overall Al is basically 10,000 so we never take a call
basically 10,000 so we never take a call based on a SLE we always take a call
based on a SLE we always take a call based on Al annual loss of on annual
based on Al annual loss of on annual loss EXP see so and third is called as a
loss EXP see so and third is called as a hybrid where we start with the
hybrid where we start with the quantitative and then we map to
quantitative and then we map to qualitative I repeat again we start with
qualitative I repeat again we start with the quantitative we start with the
the quantitative we start with the quantitative and then we move to
quantitative and then we move to qualitative now another important thing
qualitative now another important thing we need to understand is we have a
we need to understand is we have a different way to evaluate the risk okay
different way to evaluate the risk okay we have a different way to evaluate the
we have a different way to evaluate the risk because once we have a result with
risk because once we have a result with us we use those results to measure the
us we use those results to measure the level of impact okay and we'll see is
level of impact okay and we'll see is the risk value is going Beyond the
the risk value is going Beyond the appetite and all that because whatever
appetite and all that because whatever the results we got okay whatever the
the results we got okay whatever the words will be there let's say example
words will be there let's say example the capacity is suppose
the capacity is suppose 30 appetite value is 25 okay so
30 appetite value is 25 okay so likelihood is five impact is basically
likelihood is five impact is basically five so overall is coming 25 so it is
five so overall is coming 25 so it is equal to
equal to appetite but the value go beyond the 30
appetite but the value go beyond the 30 31 and all that in that case we need to
31 and all that in that case we need to avoid that risk so that's a reason risk
avoid that risk so that's a reason risk evaluation is a phase where we map the
evaluation is a phase where we map the value with RIS risk appetite and risk
value with RIS risk appetite and risk tolerance okay ultimately we have to
tolerance okay ultimately we have to make sure everything should go below the
make sure everything should go below the appetite ultimately we have to drive the
appetite ultimately we have to drive the activity below the appetite that is
activity below the appetite that is something there and once you calculate
something there and once you calculate the impact we also need to prioritize
the impact we also need to prioritize which impact we need to treat first and
which impact we need to treat first and that's something we discuss in the Bia
that's something we discuss in the Bia business impact analysis it is a
business impact analysis it is a critical step in understanding the
critical step in understanding the potential impact on business
potential impact on business operations okay once you identify the
operations okay once you identify the impact we need to prioritize the impact
impact we need to prioritize the impact which impact we need to treat first
which impact we need to treat first again based on the value only we can
again based on the value only we can able to prioritize the impact so C some
able to prioritize the impact so C some candidate so they must evaluate the risk
candidate so they must evaluate the risk accurately and make sure your mitigation
accurately and make sure your mitigation strategy should be aligned with the
strategy should be aligned with the organization risk appe and capacity okay
organization risk appe and capacity okay remember one thing this statement is
remember one thing this statement is your treatment strategy or mitigation
your treatment strategy or mitigation strategy should be aligned with the risk
strategy should be aligned with the risk appetite make sure risk should be below
appetite make sure risk should be below the appetite so we have a four way to
the appetite so we have a four way to treat the risk okay so we have a four
treat the risk okay so we have a four way to treat the risk one is called as a
way to treat the risk one is called as a risk avoidance where you're avoiding a
risk avoidance where you're avoiding a business which bringing risk to the
business which bringing risk to the company example like I know the exam
company example like I know the exam cost is very high but I also know if I
cost is very high but I also know if I go for the exam the there's a good
go for the exam the there's a good increment there's a good hik in all that
increment there's a good hik in all that but now I decided I will not go for this
but now I decided I will not go for this exam because cost of exam is very high
exam because cost of exam is very high so in that case I dro the idea not to
so in that case I dro the idea not to continue my exam that's called risk
continue my exam that's called risk avoidance it the same like you're
avoidance it the same like you're already doing a business in Europe and
already doing a business in Europe and India because of strong regulations now
India because of strong regulations now if I'm moving to the Singapore or if I'm
if I'm moving to the Singapore or if I'm moving to Saudi they have a strong
moving to Saudi they have a strong regulations and I it already having a
regulations and I it already having a lot of of losses there's no point of
lot of of losses there's no point of taking a new business so in that case we
taking a new business so in that case we avoid and we also take avoidance in that
avoid and we also take avoidance in that case when the risk going beyond the
case when the risk going beyond the capacity second is called as risk
capacity second is called as risk mitigation where we implementing control
mitigation where we implementing control to reduce a risk that is called risk
to reduce a risk that is called risk mitigation and ultimate goal in
mitigation and ultimate goal in mitigation is to bring the risk below
mitigation is to bring the risk below the appetite
the appetite level the third important part is called
level the third important part is called as risk transfer we go for risk transfer
as risk transfer we go for risk transfer in that case when uh we talk about the
in that case when uh we talk about the insurance we go for RIS transfer in that
insurance we go for RIS transfer in that case when the likelihood is low but
case when the likelihood is low but impact is high
impact is high and I'll give an example okay you take a
and I'll give an example okay you take a medical insurance right why so let's say
medical insurance right why so let's say example in India average individual
example in India average individual medical insurance will cost you 10,000
medical insurance will cost you 10,000 rupees okay for a year you are paying
rupees okay for a year you are paying around U for a for for 10 year you're
around U for a for for 10 year you're paying 1 lakh for a 10 year you paying
paying 1 lakh for a 10 year you paying 10 LH sorry for one for 10 year you
10 LH sorry for one for 10 year you paying 1 lakh for 20 year you paying 2
paying 1 lakh for 20 year you paying 2 lakh but you know very well you're going
lakh but you know very well you're going to gym you're wearing helmet you're
to gym you're wearing helmet you're doing everything the likelihood of
doing everything the likelihood of getting accident is low but if if it
getting accident is low but if if it happen the impact is high because once
happen the impact is high because once you admit in the hospital this two lak
you admit in the hospital this two lak will be going one shot same like you
will be going one shot same like you have a strong security controls you have
have a strong security controls you have a strong regulations you have one of the
a strong regulations you have one of the best thing in the market but if one
best thing in the market but if one issue happen the impact is very high so
issue happen the impact is very high so in that case we make sure we take a
in that case we make sure we take a cyber Insurance okay so with the help of
cyber Insurance okay so with the help of cyber Insurance you can reduce the
cyber Insurance you can reduce the impact third is called so fourth is
impact third is called so fourth is called as risk acceptance where the cost
called as risk acceptance where the cost of control is high over the cost of risk
of control is high over the cost of risk we accept the risk when the risk is
we accept the risk when the risk is below the appetite we accept the risk
below the appetite we accept the risk risk and the risk which is left after
risk and the risk which is left after implementing control the resal risk that
implementing control the resal risk that we accept actually we have a two risk
we accept actually we have a two risk here one is called as a inherent
here one is called as a inherent risk and one is called as a residual
risk and one is called as a residual risk
risk residual risk the risk before
residual risk the risk before implementing control is called inherit
implementing control is called inherit oh so so big book it is difficult for me
oh so so big book it is difficult for me to read the read the book that's an
to read the read the book that's an inherent risk then you attend the
inherent risk then you attend the training as a part of a treatment and
training as a part of a treatment and then you went with the % preparation in
then you went with the % preparation in the exam so the risk which is left after
the exam so the risk which is left after implementing control that's called resal
implementing control that's called resal risk and if the resal risk is within
risk and if the resal risk is within appetite they accept that okay so that
appetite they accept that okay so that something is a factor so two conditions
something is a factor so two conditions are there in which we accept the risk
are there in which we accept the risk when the cost of control is higher than
when the cost of control is higher than cost of risk or the second is the risk
cost of risk or the second is the risk is below the appetite level but the
is below the appetite level but the question is what should be the strategy
question is what should be the strategy of your residual risk so your residual
of your residual risk so your residual risk strategy when we talking
risk strategy when we talking about um you know it it should be you
about um you know it it should be you know uh the risk remain after
know uh the risk remain after implementing control and should be
implementing control and should be aligned with the organization risk
aligned with the organization risk tolerance and your risk tolerance should
tolerance and your risk tolerance should be below the appetite okay so as a CM
be below the appetite okay so as a CM context cesm are responsible for
context cesm are responsible for determining and recommending appropriate
determining and recommending appropriate risk response based on the need and res
risk response based on the need and res risk tolerance okay so once you
risk tolerance okay so once you implement the controls and everything
implement the controls and everything okay the next thing is that you have to
okay the next thing is that you have to do the monitoring so communication
do the monitoring so communication monitoring or continuous monitoring is
monitoring or continuous monitoring is very important and this is basically
very important and this is basically where you introduce a pointer which is
where you introduce a pointer which is called kri a matrix to Signal the chance
called kri a matrix to Signal the chance the risk profile and emerging threats
the risk profile and emerging threats based on a k only we take a call in the
based on a k only we take a call in the further slide we discuss what is k key
further slide we discuss what is k key risk indicator let's say example you're
risk indicator let's say example you're driving a car you know your car switched
driving a car you know your car switched to reserve it mean you have a less fuel
to reserve it mean you have a less fuel that is a k if you don't give attention
that is a k if you don't give attention to that at one point of time the car
to that at one point of time the car will stop right now it giving you
will stop right now it giving you indicator car might stop might stop
indicator car might stop might stop might stop is it clear if you don't give
might stop is it clear if you don't give attention to that the car will stop then
attention to that the car will stop then it is a incident so K are the signals
it is a incident so K are the signals changes in the risk profile okay it's
changes in the risk profile okay it's very important based on a k we take a
very important based on a k we take a calls K is a topic very very important
calls K is a topic very very important for the exam when you're preparing for
for the exam when you're preparing for the season so when you're talking about
the season so when you're talking about the risk reporting it's very important
the risk reporting it's very important when you're presenting a reports on the
when you're presenting a reports on the risk whatever you have so risk reporting
risk whatever you have so risk reporting is what your identified risk level of
is what your identified risk level of impact and your recommended uh controls
impact and your recommended uh controls okay based on that action plan prepared
okay based on that action plan prepared by the customer so your reporting should
by the customer so your reporting should regularly update Management on the S
regularly update Management on the S risk data then we have to use dashboard
risk data then we have to use dashboard to present risk effectively and based on
to present risk effectively and based on the audience we prepare the report make
the audience we prepare the report make sure you should have a clear and
sure you should have a clear and structured reporting channel to ensure
structured reporting channel to ensure timely updates should be there on the
timely updates should be there on the risk and risk response so as a CM
risk and risk response so as a CM candidate you must Define the clear
candidate you must Define the clear Communication channel reporting
Communication channel reporting mechanism to ensure all stakeholders are
mechanism to ensure all stakeholders are informed and involved in the risk
informed and involved in the risk management now in the risk management
management now in the risk management process we have a two things risk owner
process we have a two things risk owner so your business are the risk owners
so your business are the risk owners Senor management is a risk owner so
Senor management is a risk owner so there should be some individual should
there should be some individual should take the accountability to decide to
take the accountability to decide to implement the control let's say example
implement the control let's say example I'm doing an audit of change management
I'm doing an audit of change management process and I discovered in the change
process and I discovered in the change management process the documentation is
management process the documentation is missing so chain management lead the
missing so chain management lead the team who heading that he will be the
team who heading that he will be the risk owner then he contact the IT team
risk owner then he contact the IT team and say okay we need some controls from
and say okay we need some controls from the it point of view and they also have
the it point of view and they also have a team who responsible for implementing
a team who responsible for implementing control so there is a person who own the
control so there is a person who own the risk that's called risk
risk that's called risk ownership and in 90% case control
ownership and in 90% case control ownership is owned by the same team but
ownership is owned by the same team but in some 10% it will be owned by the it
in some 10% it will be owned by the it team like example in the chain
team like example in the chain management process we discovered SSL was
management process we discovered SSL was not
not used so risk will be owned by the chain
used so risk will be owned by the chain management lead but control will be
management lead but control will be owned by the ID team so control owners
owned by the ID team so control owners typically lies with the responsible for
typically lies with the responsible for implementing maintaining the control
implementing maintaining the control that is a important factor we have okay
that is a important factor we have okay again I'm telling you risk owner is
again I'm telling you risk owner is basically all about informed decisions
basically all about informed decisions on the risk mitigation or
on the risk mitigation or treatment and control owner is the one
treatment and control owner is the one who responsible for implementing and
who responsible for implementing and maintaining the controls
maintaining the controls and everything has to be documented it's
and everything has to be documented it's very important okay it's very important
very important okay it's very important you have to document that so ensure all
you have to document that so ensure all risk and control owners decisions should
risk and control owners decisions should be documented we have to document the
be documented we have to document the decisions risk acceptance and control
decisions risk acceptance and control Effectiveness so as a CM you need to
Effectiveness so as a CM you need to ensure the clarity should be there in
ensure the clarity should be there in risk and control ownership that's why a
risk and control ownership that's why a company have a r chart and by having
company have a r chart and by having this documentation you can able to
this documentation you can able to facilitating the alignment and
facilitating the alignment and accountability within the organization
accountability within the organization that's something is important part of
that's something is important part of the requirement but but as I said when
the requirement but but as I said when you're implementing a controls and
you're implementing a controls and everything it's very important you need
everything it's very important you need to make sure you should be comply with
to make sure you should be comply with the legal regulatory so you need to
the legal regulatory so you need to comply with gdpr you need to comply with
comply with gdpr you need to comply with HIPPA and we also have a risk from
HIPPA and we also have a risk from non-compliance like organization may
non-compliance like organization may choose to accept or mitigate risk based
choose to accept or mitigate risk based on impact of non-compliance also right
on impact of non-compliance also right that is also there one more important
that is also there one more important thing please understand this carefully
thing please understand this carefully okay let's take example you have a
okay let's take example you have a policy no one's supposed to send any
policy no one's supposed to send any data outside of your
data outside of your company but now regulatory has a
company but now regulatory has a requirement you need to send them data
requirement you need to send them data now if you don't send them then it's a
now if you don't send them then it's a non- compliance from a regulation and if
non- compliance from a regulation and if you send them then it's a non-compliance
you send them then it's a non-compliance from the policy so whenever you have to
from the policy so whenever you have to go beyond the policy you first have to
go beyond the policy you first have to assess the risk of non-compliance look
assess the risk of non-compliance look for the benefit and then take a call
for the benefit and then take a call like you know there is a fire occurrence
like you know there is a fire occurrence Data Center policy said that you should
Data Center policy said that you should not break the door but in this case you
not break the door but in this case you have to break the door so you have to
have to break the door so you have to assess the risk of non-compliance and
assess the risk of non-compliance and according to that you have to take the
according to that you have to take the final call so organization may choose to
final call so organization may choose to accept or mitigate risk based on the
accept or mitigate risk based on the impact of the non-compliance
impact of the non-compliance another important thing we have is
another important thing we have is indemnity agreement very very important
indemnity agreement very very important okay so this can be used to transfer the
okay so this can be used to transfer the responsibility to third party any
responsibility to third party any question talking about Indemnity
question talking about Indemnity agreement it mean we're talking about
agreement it mean we're talking about transferring responsibility to third
transferring responsibility to third party in managing the risk in a third
party in managing the risk in a third party
party relationship because by the contract
relationship because by the contract only by the agreement only you can able
only by the agreement only you can able to manage the things okay so cesm must
to manage the things okay so cesm must work with the legal compliance team okay
work with the legal compliance team okay to integrate the regulat requirements
to integrate the regulat requirements into the risk management process and by
into the risk management process and by which you can able to manage things
which you can able to manage things effectively another important thing we
effectively another important thing we talk about the risk and awareness
talk about the risk and awareness training it's very important you need to
training it's very important you need to update the risk awareness details to the
update the risk awareness details to the management so regularly educated employs
management so regularly educated employs about the risk factors and best practice
about the risk factors and best practice it's better you can add there in a
it's better you can add there in a security awareness program and that is
security awareness program and that is why we say security awareness program
why we say security awareness program should be custom and create as per the
should be custom and create as per the audience along with that you can also
audience along with that you can also use metrics to measure the effectiveness
use metrics to measure the effectiveness of the awareness training which can be
of the awareness training which can be adjusted as necessary so what is the CM
adjusted as necessary so what is the CM pointer is effective risk awareness
pointer is effective risk awareness training can significantly reduce the
training can significantly reduce the human related vulnerabilities and
human related vulnerabilities and essential responsibility of the cesm
essential responsibility of the cesm role that something is there now when we
role that something is there now when we doing a risk analysis we have a
doing a risk analysis we have a different way to do the analysis the
different way to do the analysis the first is called as baso scenario okay we
first is called as baso scenario okay we developed the scenario to assess the
developed the scenario to assess the potential outcome and cost getting
potential outcome and cost getting impact let's say example if supplier is
impact let's say example if supplier is unavailable what happens it will will
unavailable what happens it will will not able to provide me the you know fun
not able to provide me the you know fun business support functions and all that
business support functions and all that if they don't able to provide me support
if they don't able to provide me support business function is a different level
business function is a different level of impact so that is called as a
of impact so that is called as a scenario analysis so we develop the r
scenario analysis so we develop the r scenarios to the potential outcome and
scenarios to the potential outcome and cascading impact cascading mean One
cascading impact cascading mean One impact have on other
impact have on other impact another technique that we use is
impact another technique that we use is Bia where we estimate the impact of a
Bia where we estimate the impact of a specific risk on the business
specific risk on the business operations okay and third we prioritize
operations okay and third we prioritize a risk based on likelihood and impact to
a risk based on likelihood and impact to guide the response strategy so as a cism
guide the response strategy so as a cism professional you must be adapt in Risk
professional you must be adapt in Risk analysis method to predict and prepare
analysis method to predict and prepare for possible risk event and ensure the
for possible risk event and ensure the response strategy are aligned with the
response strategy are aligned with the business priority and appetite level now
business priority and appetite level now the question is how you create a risk
the question is how you create a risk scenarios so in that the first thing is
scenarios so in that the first thing is called likelihood example if you're
called likelihood example if you're going on the cloud you might lose the
going on the cloud you might lose the data you might lose the governance
data you might lose the governance that's called likelihood and impact is
that's called likelihood and impact is you will lose the data so likelihood is
you will lose the data so likelihood is a probability of R risk occurrence let's
a probability of R risk occurrence let's say example likelihood is talk about How
say example likelihood is talk about How likely the risk is to occur and usually
likely the risk is to occur and usually an appropriate
an appropriate estimate but impact is talk about the
estimate but impact is talk about the severity and estimate of the effect of
severity and estimate of the effect of the risk if the risk is evaluated which
the risk if the risk is evaluated which is impact is called as a consequences
is impact is called as a consequences but the another important part we talk
but the another important part we talk about is casing impact if if impact one
about is casing impact if if impact one business what is an impact on the other
business what is an impact on the other business that is called as a cascading
business that is called as a cascading impact so when you evaluating we have to
impact so when you evaluating we have to make sure your evaluation should be
make sure your evaluation should be aligned with the appetite and tolerance
aligned with the appetite and tolerance remember that okay so when you're
remember that okay so when you're evaluating your parameter should be
evaluating your parameter should be aligned okay must be aligned with the
aligned okay must be aligned with the organization risk appetite and tolerance
organization risk appetite and tolerance because we have to make sure that risk
because we have to make sure that risk should all always and always below the
should all always and always below the appetite level so as a as a cesm
appetite level so as a as a cesm context okay we develop the realistic
context okay we develop the realistic risk scenarios which help the CM
risk scenarios which help the CM professional to understand the impact
professional to understand the impact and you need to prioritize the risk
and you need to prioritize the risk response effectively that something is
response effectively that something is part of the
part of the function so now we have a call to do
function so now we have a call to do risk response and defining the
risk response and defining the acceptable risk level so without
acceptable risk level so without defining a limit is difficult to measure
defining a limit is difficult to measure if security objectives has been met and
if security objectives has been met and that is the reason we saying we have to
that is the reason we saying we have to create appetite capacity and tolerance
create appetite capacity and tolerance so we have a boundary to be set so when
so we have a boundary to be set so when we're talking about risk appetite the
we're talking about risk appetite the level RIS organization willing to take
level RIS organization willing to take the capacity is a maximum risk the
the capacity is a maximum risk the organization can handle there's a
organization can handle there's a difference between appetite and capacity
difference between appetite and capacity is appetite is a level of risk that we
is appetite is a level of risk that we can take but maximum risk we cannot go
can take but maximum risk we cannot go beyond that that is called capacity and
beyond that that is called capacity and the variation between that is called as
the variation between that is called as a risk tolerance and now what is a exam
a risk tolerance and now what is a exam pointer is as a parameter CM role requir
pointer is as a parameter CM role requir thorough understanding of acceptable
thorough understanding of acceptable level of risk so that we can able to
level of risk so that we can able to take a decisions and balance a risk
take a decisions and balance a risk against the goals sry not Goa it's goals
against the goals sry not Goa it's goals okay so that something is part of the
okay so that something is part of the function now we have a criteria based on
function now we have a criteria based on which we uh we actually go for the risk
which we uh we actually go for the risk residual so we need to evaluate the
residual so we need to evaluate the controls okay implementation cost we
controls okay implementation cost we look for the Enterprise culture we look
look for the Enterprise culture we look for the asset criticality so when we
for the asset criticality so when we evaluating control implementation we
evaluating control implementation we look for the cost culture and asset
look for the cost culture and asset criticality and we always accept risk
criticality and we always accept risk when mitigation cost outweigh the
when mitigation cost outweigh the benefit it okay so example like I know
benefit it okay so example like I know the training cost is very high compared
the training cost is very high compared to certification cost so I will draw I
to certification cost so I will draw I will accept the exam without going for
will accept the exam without going for the training I will say okay I'm getting
the training I will say okay I'm getting a second shot free I'm getting a
a second shot free I'm getting a benefits let me go for the exam so in
benefits let me go for the exam so in that case I'm not spending money on the
that case I'm not spending money on the training because training cost is $1,000
training because training cost is $1,000 exam cost is
exam cost is $500 why should I pay ,000 here right so
$500 why should I pay ,000 here right so in that case we accept the risk so CM
in that case we accept the risk so CM must ensure the res risk are managed
must ensure the res risk are managed align with the organization policies and
align with the organization policies and risk tolerance tolerance mean it should
risk tolerance tolerance mean it should be below the appetite level so we
be below the appetite level so we maintain some kind of a documents here
maintain some kind of a documents here so first document is called risk
so first document is called risk register which document all the
register which document all the identified risk including owners and
identified risk including owners and response actions second is chain
response actions second is chain management so adapt the risk policies
management so adapt the risk policies and business environment change to keep
and business environment change to keep the pace with a new risk and ultimate
the pace with a new risk and ultimate goal of chain management is to track the
goal of chain management is to track the accountability
accountability okay so effective documentation and
okay so effective documentation and version controls are vital because risk
version controls are vital because risk constantly getting changed we also
constantly getting changed we also update the documents
update the documents so according to that you need to have a
so according to that you need to have a version history and by that you can able
version history and by that you can able to allow the cesm to update and track
to allow the cesm to update and track the policy
the policy accurately so it's very important when
accurately so it's very important when you identify risk and everything you
you identify risk and everything you need to create a matrix so effective
need to create a matrix so effective Matrix are very important and what is a
Matrix are very important and what is a primary objective while developing a
primary objective while developing a matrix it should have actionable
matrix it should have actionable insights and that Matrix can be used for
insights and that Matrix can be used for the decision making so you can use a
the decision making so you can use a matrix to track the progress and you can
matrix to track the progress and you can able to adjust the strategy and report
able to adjust the strategy and report on security status okay and Matrix is
on security status okay and Matrix is always a Cornerstone of reporting for
always a Cornerstone of reporting for cism because it allow them to
cism because it allow them to demonstrate the risk management
demonstrate the risk management performance and improvement over the
performance and improvement over the time that's a very important part that's
time that's a very important part that's why metrics are very important and it
why metrics are very important and it should it it should need to be
should it it should need to be maintained as per the part of the
maintained as per the part of the Integrity
principle so now we talking about one of the most important stuff which is very
the most important stuff which is very very important for your cism preparation
very important for your cism preparation is kpi kri and
is kpi kri and KCI before I discuss about this let me
KCI before I discuss about this let me give you a high level overview see when
give you a high level overview see when we talking about metrics the first thing
we talking about metrics the first thing we always set is kpi key performance
we always set is kpi key performance indicator let's say example percentage
indicator let's say example percentage of the system with updated security
of the system with updated security patch that is a kpi now for that I'm
patch that is a kpi now for that I'm setting a k k basically mean the
setting a k k basically mean the challenge we which is basically we face
challenge we which is basically we face while achieving our kpi like number of
while achieving our kpi like number of detected malware attempts per month
detected malware attempts per month number of people not available in the
number of people not available in the office so that is called K and third is
office so that is called K and third is called as a KCI key control
called as a KCI key control Effectiveness which talk about the
Effectiveness which talk about the percentage of the successful pen test
percentage of the successful pen test has been passed so that something is
has been passed so that something is part of the
part of the requirement so more of the story is that
requirement so more of the story is that we set the kpi we use K and we use a KC
we set the kpi we use K and we use a KC so here the first thing is called as a k
so here the first thing is called as a k key risk indicator now here you can see
key risk indicator now here you can see K are the Matrix that indicate changes
K are the Matrix that indicate changes in the risk profile of the
in the risk profile of the organization and they they signals when
organization and they they signals when risk levels are increasing or when
risk levels are increasing or when specific risk are approaching an
specific risk are approaching an acceptable level that is called as a k
acceptable level that is called as a k same like you know you're riding a car
same like you know you're riding a car or you're driving a car sorry so after
or you're driving a car sorry so after one point of time there will be Reserve
one point of time there will be Reserve car will be in reserve that give me the
car will be in reserve that give me the indicator we have to fill the fuel if I
indicator we have to fill the fuel if I don't fill the fuel if it increase at
don't fill the fuel if it increase at one point on the car May got
one point on the car May got stop right so that is basically my
stop right so that is basically my K so kri is the Matrix which indicate
K so kri is the Matrix which indicate the changes in the risk profile and they
the changes in the risk profile and they signal when risk levels are increasing
signal when risk levels are increasing or when specific risk approach to an
or when specific risk approach to an acceptable level and the purpose of
acceptable level and the purpose of defining a k is the organization monitor
defining a k is the organization monitor the potential risk and identify the
the potential risk and identify the emerging threats so example like
emerging threats so example like increase in the fail login attempts
increase in the fail login attempts might indicate the higher Insider threat
might indicate the higher Insider threat risk or growing number of unpatched
risk or growing number of unpatched vulnerabilities so that is a live
vulnerabilities so that is a live example of the K so from a season
example of the K so from a season context point of view
context point of view it's very important you need to know K
it's very important you need to know K because it is critical for CSM
because it is critical for CSM professional to monitor the effess risk
professional to monitor the effess risk management activity and that is only
management activity and that is only possible when you monitor the KY
possible when you monitor the KY functions is it clear so let me explain
functions is it clear so let me explain you again K first is called kpi
you again K first is called kpi indicator that helps to govern manage
indicator that helps to govern manage and provide the assurance that we are
and provide the assurance that we are achieving our objective kri indicator
achieving our objective kri indicator helps to govern manage and provide
helps to govern manage and provide Assurance about the risk and KCI key
Assurance about the risk and KCI key control indicator is a indicator talk
control indicator is a indicator talk about the
about the uh control Effectiveness so in my next
uh control Effectiveness so in my next slide I'm going to discuss about the KCI
slide I'm going to discuss about the KCI key control indicator so KCI measure
key control indicator so KCI measure effectiveness of control implemented to
effectiveness of control implemented to mitigate specific risk and they indicate
mitigate specific risk and they indicate how well the existing controls are
how well the existing controls are working to manage the risk and the
working to manage the risk and the purpose is control performance and all
purpose is control performance and all that so example of the controls are
that so example of the controls are number of successful fireal block or
number of successful fireal block or number of access violations detected by
number of access violations detected by the monitoring system so for seasms kcii
the monitoring system so for seasms kcii helps in verifying the controls in place
helps in verifying the controls in place and by that by by having effect Ive KCI
and by that by by having effect Ive KCI we can have a reduce in the
we can have a reduce in the K now third is called as a KGI key goal
K now third is called as a KGI key goal indicators okay so KGI are the high
indicators okay so KGI are the high level metrics that measure the progress
level metrics that measure the progress toward achieving the Strategic
toward achieving the Strategic objectives in some cases we use KB as a
objectives in some cases we use KB as a KGI and with the help of KGI you can
KGI and with the help of KGI you can evaluate if the information security
evaluate if the information security program is meeting the Strategic
program is meeting the Strategic objectives so if the question says which
objectives so if the question says which Matrix is very very important to check
Matrix is very very important to check are we achieving a strategy objectives
are we achieving a strategy objectives and answer is KGI which metrics is
and answer is KGI which metrics is basically used should track the
basically used should track the ineffectiveness of the control or
ineffectiveness of the control or ineffectiveness of the risk parameters
ineffectiveness of the risk parameters and all then answer is K because KC
and all then answer is K because KC include in the
include in the K so we have some examples here like
K so we have some examples here like like achievement rate of completion
like achievement rate of completion Target is my
Target is my KGI reduction in the number of security
KGI reduction in the number of security incidents or breach over the time sorry
incidents or breach over the time sorry that is called as a
that is called as a KGI so I'll give an example okay so
KGI so I'll give an example okay so let's say example your organization is
let's say example your organization is willing to accept low risk of data
willing to accept low risk of data breach okay so here we have a risk
breach okay so here we have a risk appetite
appetite and the risk appetite is U okay risk
and the risk appetite is U okay risk appetite
is except okay
except okay except a
low risk of
data breaches that is called esape Tite now for this we set the K give me a
now for this we set the K give me a second
so here we have a k kisk indicator so what is a k number of new
indicator so what is a k number of new malware
malware new malware
detect per month that is called K then we have a
we have a kpi
kpi okay number
okay number of data breach per month and then so
of data breach per month and then so here what happened the target is that
here what happened the target is that your organ want to detect
your organ want to detect 99% of the new malware variant so
99% of the new malware variant so organization will monitor the number of
organization will monitor the number of new malw which is variant detected per
new malw which is variant detected per month if number of new malware variant
month if number of new malware variant detect per month exceed by
detect per month exceed by 1% then organization will take action to
1% then organization will take action to mitigate the risk is it clear so K is
mitigate the risk is it clear so K is number of new malw variant detected per
number of new malw variant detected per month and KP is number of data breaches
month and KP is number of data breaches per month so your organization want to
per month so your organization want to detect 99% of a new Mal variant so
detect 99% of a new Mal variant so monitoring what we're doing is you will
monitoring what we're doing is you will monitor the number of new Mal variant
monitor the number of new Mal variant directed per month if the number of new
directed per month if the number of new Malo variant directed per month exceed
Malo variant directed per month exceed by 1% so your organization will take an
by 1% so your organization will take an action to mitigate the risk is it clear
action to mitigate the risk is it clear so that's how you set the kpi KJ and all
so that's how you set the kpi KJ and all that so more of the story is
that so more of the story is that one thing we need to understand
that one thing we need to understand here is you know kgis are essential for
here is you know kgis are essential for demonstrating the value and impact of
demonstrating the value and impact of security program through Senior
security program through Senior Management and they provide the evidence
Management and they provide the evidence so kg are the high level metrics that
so kg are the high level metrics that measure the progress so by end of the
measure the progress so by end of the day this is the the only metrics which
day this is the the only metrics which provide to the management and they
provide to the management and they provide the evidence that your security
provide the evidence that your security initiatives are basically supporting the
initiatives are basically supporting the organization goals and they supporting a
organization goals and they supporting a continuous Improvement so we have a
continuous Improvement so we have a different type of controls that we
different type of controls that we Implement so we have a preventative
Implement so we have a preventative control we have a corrective control we
control we have a corrective control we have a detective we have a compensating
have a detective we have a compensating we have a deterrent control let's say
we have a deterrent control let's say example we have a
example we have a firewall so we introduce a firewall to
firewall so we introduce a firewall to reduce or eliminate the
reduce or eliminate the attacks the primary objective is to
attacks the primary objective is to viate attempt to you know block those
viate attempt to you know block those things which viate the security policy
things which viate the security policy governance and everything so that is
governance and everything so that is called as a preventative control second
called as a preventative control second is called as a corrective control
is called as a corrective control corrective control come into the picture
corrective control come into the picture if the preventative control is failed
if the preventative control is failed and we have record the incident after
and we have record the incident after incident we have to reduce the impact
incident we have to reduce the impact that is called as a corrective control
that is called as a corrective control third is called as a detective control
third is called as a detective control detective control mean detect the
detective control mean detect the incident compensating control come into
incident compensating control come into the picture when your primary control is
the picture when your primary control is not effective but it is used to further
not effective but it is used to further block the attack that is called
block the attack that is called compensating and DET control is
compensating and DET control is something which is
something which is talk about the behavior of the
talk about the behavior of the preventing the discouraging the behavior
preventing the discouraging the behavior so let me give you an
so let me give you an example so we have a policy okay no one
example so we have a policy okay no one supposed to browse social media 925 if
supposed to browse social media 925 if we found anyone browsing social media
we found anyone browsing social media 925 we will take a necessary actions we
925 we will take a necessary actions we will fire that candidate we will
will fire that candidate we will terminate the candidate so that is
terminate the candidate so that is called as a deterrent control in that in
called as a deterrent control in that in that policy we give the warning still
that policy we give the warning still there is one employee who try to open
there is one employee who try to open the social media but problem is that
the social media but problem is that firewall has blocked that particular
firewall has blocked that particular website that is called as a preventative
control now what happen is it disconnect from the internet he tried to use his
from the internet he tried to use his external dongle and through that he
external dongle and through that he trying to connect the internet but
trying to connect the internet but because of DLP it still prevent him from
because of DLP it still prevent him from browsing the site so here we have a DP
browsing the site so here we have a DP which is act like a compensating
which is act like a compensating control till now there is no incident
control till now there is no incident but all the activities record in the
but all the activities record in the locks that is called as a detective
locks that is called as a detective control isolate a system immediately and
control isolate a system immediately and terminate the candidate that is
terminate the candidate that is basically called as a corrective
basically called as a corrective control so this is how we basically
control so this is how we basically works okay one more example if we find
works okay one more example if we find anyone outside without any reason we
anyone outside without any reason we will put them in the jail that's part of
will put them in the jail that's part of a deterrent control during a covid time
a deterrent control during a covid time right remember during a covid time we
right remember during a covid time we have introduced this circular right so
have introduced this circular right so people are wearing mask maintaining a
people are wearing mask maintaining a social distance that's a part of
social distance that's a part of preventative compensating is they have a
preventative compensating is they have a vaccinations so we did the trials we did
vaccinations so we did the trials we did the test and all that and we discover
the test and all that and we discover some covid positive that's called
some covid positive that's called detective control and isolate a person
detective control and isolate a person immediately from the family that is part
immediately from the family that is part of a corrective and go for the his
of a corrective and go for the his recovery and all that so all those are
recovery and all that so all those are part of corrective okay so if the
part of corrective okay so if the question talking about backup procedures
question talking about backup procedures backup registation answer is corrective
backup registation answer is corrective control question talking about audit
control question talking about audit controls audit Trails IDs the answer is
controls audit Trails IDs the answer is basically detective control if the
basically detective control if the question specifically um question
question specifically um question specifically targeting about uh uh um
specifically targeting about uh uh um around multi-layer defense that answer
around multi-layer defense that answer is compensating control okay because
is compensating control okay because compensating control are introduced to
compensating control are introduced to reduce a risk of an existing or
reduce a risk of an existing or potential control weakness okay
potential control weakness okay deterrence control reduce the threat by
deterrence control reduce the threat by providing warning and all that but we
providing warning and all that but we Implement in a three way so one is
Implement in a three way so one is called as a managerial another name of a
called as a managerial another name of a managerial is Administrative control so
managerial is Administrative control so don't get confused in the exam another
don't get confused in the exam another name of manager is called as a
name of manager is called as a administrative control actually we are
administrative control actually we are implementing all this in a three way
implementing all this in a three way managerial way technical way and
managerial way technical way and physical way I'll give an example now
physical way I'll give an example now when I say managerial control it is also
when I say managerial control it is also called as
called as a administrative control so company sent
a administrative control so company sent a policy no one supposed to browse
a policy no one supposed to browse social media 9 to5 if you found anyone
social media 9 to5 if you found anyone browsing social media will take a
browsing social media will take a necessary action so it's like a
necessary action so it's like a administrative but more like a deterrent
administrative but more like a deterrent in nature no one will no one is allowed
in nature no one will no one is allowed if they don't wearing a mask that's a
if they don't wearing a mask that's a administrative
administrative preventative so administrative controls
preventative so administrative controls apply to the processes and behavior by
apply to the processes and behavior by the people example policy procedure
the people example policy procedure employee development compliance
employee development compliance reporting and all that technical control
reporting and all that technical control is something we apply to the information
is something we apply to the information system software and network which
system software and network which include the firewall inion detection and
include the firewall inion detection and password and antivirus software and
password and antivirus software and physical control something you apply
physical control something you apply physically okay physic security guards
physically okay physic security guards and all that so here controls and can
and all that so here controls and can any effect category May implement but
any effect category May implement but most important part is we Implement
most important part is we Implement based on the risk assessment now in the
based on the risk assessment now in the domain two the there are some uh topics
domain two the there are some uh topics we have which is technical in nature but
we have which is technical in nature but it is testable the first is called as a
it is testable the first is called as a DMZ now what is DMZ so before going to
DMZ now what is DMZ so before going to understand the DMZ let me share the
understand the DMZ let me share the brief history now this is your internet
okay this is one network you have web server also in here
network you have web server also in here you have a denas also
you have a denas also here now you have a database also here
second you have a database also here and you have a ad also here all are part of
you have a ad also here all are part of the same network everything is part of a
the same network everything is part of a same
same network okay so these two are critical
network okay so these two are critical and these two sensitive and now there is
and these two sensitive and now there is a user from
a user from outside so user is here you want to
outside so user is here you want to access the internet so when user try to
access the internet so when user try to access the internet
access the internet and through that he want to access the
and through that he want to access the website if he install the firewall here
website if he install the firewall here in the firewall if he have a too many
in the firewall if he have a too many restrictions so all the packet going
restrictions so all the packet going through this restrictions and it take
through this restrictions and it take time to for the inspection it will slow
time to for the inspection it will slow down the process and that basically
down the process and that basically delay the performance and customer will
delay the performance and customer will not be happy it is same like you know in
not be happy it is same like you know in airport security checks after uh
airport security checks after uh immigrations and all that the same thing
immigrations and all that the same thing happen
happen here so websites and so one thing we
here so websites and so one thing we need to understand is if I consider this
need to understand is if I consider this factor I have to have a very limited
factor I have to have a very limited rules in the firewall if I I consider
rules in the firewall if I I consider this factor I have to have very strict
this factor I have to have very strict rules in the firewall that is what
rules in the firewall that is what happened we created a DMZ demilitarized
happened we created a DMZ demilitarized zone it's a concept came from
zone it's a concept came from military
military DMZ now when you're talking about the
DMZ now when you're talking about the DMZ concept we keep those systems in the
DMZ concept we keep those systems in the DMZ which is a public facing site for me
DMZ which is a public facing site for me website and DNS should be public facing
website and DNS should be public facing and which is sensitive nature we kept in
and which is sensitive nature we kept in the database so ultimate goal of having
the database so ultimate goal of having a DMZ is to protect my internal network
a DMZ is to protect my internal network from outside so any connections comes it
from outside so any connections comes it will be terminated at this point and
will be terminated at this point and then we basically install the another
then we basically install the another firewall here to block the further
firewall here to block the further actions so remember one thing whatever
actions so remember one thing whatever the public facing server we have we can
the public facing server we have we can keep it in the DMZ and ultimate goal of
keep it in the DMZ and ultimate goal of DMZ is to protect my internal network
DMZ is to protect my internal network from external attack along with that we
from external attack along with that we are using cryptography there's a
are using cryptography there's a dedicated video I made on cryptography
dedicated video I made on cryptography symmetric and asymmetric when we using a
symmetric and asymmetric when we using a same key to encrypt and decrypt the data
same key to encrypt and decrypt the data that is called symmetric when I'm using
that is called symmetric when I'm using public and private key to encrypt de the
public and private key to encrypt de the data we use asymmetric but today we use
data we use asymmetric but today we use these two crypto these two cryptography
these two crypto these two cryptography together how symmetric cryptography we
together how symmetric cryptography we use for data
use for data encryption and we use asymmetric for the
encryption and we use asymmetric for the key exchange key exchange and that is
key exchange key exchange and that is why today it is called as a hybrid
why today it is called as a hybrid cryptography so as a
cryptography so as a summary here you can see the summary
summary here you can see the summary summary
summary summary K detect Rising risk and allows
summary K detect Rising risk and allows cm to respond proactively KCs is the
cm to respond proactively KCs is the control Effectiveness guiding the fine
control Effectiveness guiding the fine tuning and KGI measure the achievement
tuning and KGI measure the achievement of security goals showing theat
of security goals showing theat strategic impact of security effort so
strategic impact of security effort so this is all from my side on domain two
this is all from my side on domain two let's move to domain three thank you
let's move to domain three thank you okay so we are in a domain three
okay so we are in a domain three information security program information
information security program information security program represent
security program represent 33% of the domain of the entire CSM and
33% of the domain of the entire CSM and we have around 50 questions we can
we have around 50 questions we can expect from this
expect from this area those who are preparing for CM make
area those who are preparing for CM make sure you should give proper attention to
sure you should give proper attention to the domain three it's very important
the domain three it's very important after domain one
after domain one so in this particular domain we're going
so in this particular domain we're going to discuss about how to build program
to discuss about how to build program because program include the controls and
because program include the controls and controls we Implement based on the risk
controls we Implement based on the risk assessment and that we already did in
assessment and that we already did in the domain two so when we're talking
the domain two so when we're talking about the
about the program okay give me a
second so when you're talking about the program program is all about a set of
program program is all about a set of controls which include your risk
controls which include your risk management inent management other
management inent management other functions so we developed the coac
functions so we developed the coac program to move away from a fragmented
program to move away from a fragmented security effort and integrate security
security effort and integrate security into the Enterprise wide risk awareness
into the Enterprise wide risk awareness and a good program is the one which can
and a good program is the one which can be integrated across the
be integrated across the organization so the program steps
organization so the program steps include Define the desire outcome like
include Define the desire outcome like outcome is I want to implement the gdpr
outcome is I want to implement the gdpr controls I want to implement the isms so
controls I want to implement the isms so the program step include Define the
the program step include Define the desire outcomes then we conduct the Gap
desire outcomes then we conduct the Gap analysis and then we develop the
analysis and then we develop the strategy this this this can be the
strategy this this this can be the parameter test table like when we we do
parameter test table like when we we do Gap assessment so when we defining a
Gap assessment so when we defining a desire outcome then we do the Gap
desire outcome then we do the Gap analysis and then we develop the
analysis and then we develop the strategy and road map to bra the Gap
strategy and road map to bra the Gap okay my outcome is uh I want uh security
okay my outcome is uh I want uh security controls current what is the level of
controls current what is the level of security control then we develop the
security control then we develop the strategy to fill the Gap so what is the
strategy to fill the Gap so what is the context here is as a CM professional
context here is as a CM professional you're responsible for structuring an
you're responsible for structuring an effective program with a measurable
effective program with a measurable outcome and that is only possible with
outcome and that is only possible with the help of metrics and uh we have to
the help of metrics and uh we have to make sure this program should be aligned
make sure this program should be aligned with the security objectives and
with the security objectives and Enterprise goal now when you're talking
Enterprise goal now when you're talking about this program program has a
about this program program has a framework so we use cobit we use 27,000
framework so we use cobit we use 27,000 one and we also use nist CSF cyber
one and we also use nist CSF cyber security framework and uh we also use
security framework and uh we also use Enterprise security
Enterprise security architecture which is act as a blueprint
architecture which is act as a blueprint and aligning your security with business
and aligning your security with business goals and supporting a risk
goals and supporting a risk management because by using an
management because by using an architecture you can able to organize
architecture you can able to organize things in a block
things in a block so as a cism candidate you should be
so as a cism candidate you should be familiar with the Frameworks because
familiar with the Frameworks because Frameworks helps the cism to choose a
Frameworks helps the cism to choose a best approach to building and
best approach to building and maintaining a program okay now when we
maintaining a program okay now when we talking about the program outcome so
talking about the program outcome so program outcome is maap with the
program outcome is maap with the Strategic alignment risk management
Strategic alignment risk management value delivery resource management and
value delivery resource management and performance measurement we already
performance measurement we already discussed in the past like my initiative
discussed in the past like my initiative should be aligned to the business for
should be aligned to the business for that we do risk management your um your
that we do risk management your um your program should create a value should
program should create a value should have a proper Roi and we should able to
have a proper Roi and we should able to manage the resource effectively and we
manage the resource effectively and we should introduce a metrics to measure
should introduce a metrics to measure the program Effectiveness so we
the program Effectiveness so we developed the program in a phases
developed the program in a phases starting with a stakeholder interview we
starting with a stakeholder interview we draft the policies and ensure the policy
draft the policies and ensure the policy compliance so as a cism
compliance so as a cism candidate the road map basically helped
candidate the road map basically helped the cism to create step-by-step guide
the cism to create step-by-step guide for implementing a security initiatives
for implementing a security initiatives and make sure you keeping the Strategic
and make sure you keeping the Strategic alignment with the business goals is a
alignment with the business goals is a priority now when you're implementing a
priority now when you're implementing a program you introduce a metrics so we
program you introduce a metrics so we have operation metrics which measure
have operation metrics which measure day-to-day security activities like
day-to-day security activities like vulnerability Management Open
vulnerability Management Open vulnerabilities and all that second is
vulnerabilities and all that second is called as a management metrix which
called as a management metrix which track the policy compliance cost
track the policy compliance cost effectively and then we have a strategic
effectively and then we have a strategic matrics which align with the
matrics which align with the organization level security goals
organization level security goals strategic matrics are introducing to
strategic matrics are introducing to convey board managable matrics to convey
convey board managable matrics to convey cesos and operation matrics are for the
cesos and operation matrics are for the operation teams so by this they can able
operation teams so by this they can able to track the things so as a cism
to track the things so as a cism candidate you should know that effective
candidate you should know that effective use of Matrix allow cm to demonstrate
use of Matrix allow cm to demonstrate the program progress to the Senior
the program progress to the Senior Management and also based on the Matrix
Management and also based on the Matrix only take a decision so it enable the
only take a decision so it enable the data driven
data driven decisions now when you're talking about
decisions now when you're talking about program management so program management
program management so program management the first thing is include the program
the first thing is include the program objectives where we have to Define goals
objectives where we have to Define goals in measurable terms so we establish the
in measurable terms so we establish the metrics and monitor the performance
metrics and monitor the performance let's say example my goal is to m
let's say example my goal is to m 99.999 availability that is my
99.999 availability that is my measurable term okay then based on that
measurable term okay then based on that I will establish the metrics I will try
I will establish the metrics I will try to monitor I have to make sure the
to monitor I have to make sure the maximum downtime is 1% it should not go
maximum downtime is 1% it should not go beyond that because 99% is availability
beyond that because 99% is availability we have to maintain and that is why we
we have to maintain and that is why we have an committee which is the team of
have an committee which is the team of the security Business technical and
the security Business technical and everything who jointly discuss
everything who jointly discuss everything and the good information
everything and the good information security strategy or approval
security strategy or approval requirement of security strategy comes
requirement of security strategy comes if the security sharing committee or
if the security sharing committee or strategy committee approve that strategy
strategy committee approve that strategy because if they approving it mean we're
because if they approving it mean we're taking a consent from all the
taking a consent from all the Departments so as a committee will guide
Departments so as a committee will guide the strategy and approve changes and
the strategy and approve changes and ensure alignment with the organization
ensure alignment with the organization goal now next thing we talk about the
goal now next thing we talk about the context so program management ensure the
context so program management ensure the is program achieve its defined
is program achieve its defined objectives Shing committee which provide
objectives Shing committee which provide the essential oversight and support now
the essential oversight and support now next important part we need to
next important part we need to understand is training program now
understand is training program now please please listen this carefully we
please please listen this carefully we have a three things here one we talk
have a three things here one we talk about the
about the awareness one we talk about the
awareness one we talk about the training and one we talk about the
behavior training modify skill education modify
skill education modify career Okay so
career Okay so we have a
we have a task to perform a task you need a
task to perform a task you need a special
special skill to perform a skill you need a
skill to perform a skill you need a knowledge and knowledge you impart from
knowledge and knowledge you impart from the training not from awareness training
the training not from awareness training so you're attending a cism program where
so you're attending a cism program where you will learn the knowledge of security
you will learn the knowledge of security governance that basically create a skill
governance that basically create a skill for you how to create a policy and
for you how to create a policy and everything and based on that you can
everything and based on that you can able to do the task but do you have the
able to do the task but do you have the adequate knowledge we do the competency
adequate knowledge we do the competency score
score test you are an impression that okay
test you are an impression that okay eight character is a secure password so
eight character is a secure password so you are using 1 2 3 4 5 6 7
you are using 1 2 3 4 5 6 7 8 but now in the awareness program you
8 but now in the awareness program you got to know that you have to change the
got to know that you have to change the behavior you have to use alpha numeric
behavior you have to use alpha numeric special character that is basically part
special character that is basically part of
of awareness so question is when to do
awareness so question is when to do training when to do awareness whenever
training when to do awareness whenever an employee join the
an employee join the organization after joining the
organization after joining the organization the first thing he will do
organization the first thing he will do he will sign the NDA sign the contract
he will sign the NDA sign the contract and then he attend the awareness and
and then he attend the awareness and training program so we start the
training program so we start the training at OD moding and we Contin with
training at OD moding and we Contin with the regular updates we also have a role
the regular updates we also have a role Based training for the specific skill
Based training for the specific skill sets we use different methods for the
sets we use different methods for the engagement like quiz reminders the best
engagement like quiz reminders the best method is
method is gamification we have to choose
gamification we have to choose communication method and content
communication method and content appropriate so according to audience we
appropriate so according to audience we have to prepare the content according to
have to prepare the content according to audience we have to prepare the training
audience we have to prepare the training content also that is something is very
content also that is something is very very important okay so as a CSM
very important okay so as a CSM awareness program reduce the human
awareness program reduce the human errors so the human is the weakest link
errors so the human is the weakest link in the organization so no matter in one
in the organization so no matter in one laptop you have a strong password you
laptop you have a strong password you have a best EDR and all that but if
have a best EDR and all that but if there's no patch for human stupidity so
there's no patch for human stupidity so if human do mistake it's a problem like
if human do mistake it's a problem like social engineering password sharing can
social engineering password sharing can be mitigated by the human awareness only
be mitigated by the human awareness only that's why we say the most effective
that's why we say the most effective control for social engineering is the
control for social engineering is the awareness program because with the help
awareness program because with the help of awareness program we can able to
of awareness program we can able to improve the
improve the behavior of the person and one of the
behavior of the person and one of the best way to meure the awareness program
best way to meure the awareness program is increase in the incent report and
is increase in the incent report and decrease in a security viation because
decrease in a security viation because if they attend the awareness training
if they attend the awareness training they get more information about how to
they get more information about how to report an incident and by reporting more
report an incident and by reporting more incident we can reduce a security
incident we can reduce a security violation so we always believe that
violation so we always believe that security program should be integrated
security program should be integrated with the it operations and it should be
with the it operations and it should be integrated as early as possible so one
integrated as early as possible so one of the program we have is sdlc software
of the program we have is sdlc software development life cycle and we always
development life cycle and we always prefer the security should introduce as
prefer the security should introduce as early as possible because if you go by
early as possible because if you go by the sdlc process we have a different
the sdlc process we have a different phases in the sdlc the first step is
initiation second is called as a acquisition and development third is
acquisition and development third is called as a implementation then fourth
called as a implementation then fourth is called as an
is called as an operation we always prefer security
operation we always prefer security should be introduced as early as
should be introduced as early as possible that's why in the initiation we
possible that's why in the initiation we introduce
introduce security because this is where you
security because this is where you understand the requirement of the
understand the requirement of the customer then you take a call whether
customer then you take a call whether you need to develop develop in-house or
you need to develop develop in-house or you have to acquire from outside then
you have to acquire from outside then you go for testing and then you deploy
you go for testing and then you deploy the
the operations we also have a new modern
operations we also have a new modern methodology so we have a two type of of
methodology so we have a two type of of development methodology one is called as
development methodology one is called as a
a iterative iterative and one is called as
iterative iterative and one is called as a non-
a non- iterative iterative you're interacting
iterative iterative you're interacting with the customer parall and discussing
with the customer parall and discussing things and the best example of iterative
things and the best example of iterative is
is agile non iterative is waterfall so if
agile non iterative is waterfall so if you see the Indian movies we call pushpa
you see the Indian movies we call pushpa pushpa so that is a non-iterative
pushpa so that is a non-iterative waterfall if you move from phase one to
waterfall if you move from phase one to phase two you cannot go back that's non
phase two you cannot go back that's non iterative iterative is like just like a
iterative iterative is like just like a suran movie whatever babuji will say I
suran movie whatever babuji will say I Will Follow That is a iterative so in
Will Follow That is a iterative so in iterative what happen we have a daily
iterative what happen we have a daily meetings we have a weekly meeting to
meetings we have a weekly meeting to discuss the status of the project that's
discuss the status of the project that's why we introduce the concept Dave Ops
why we introduce the concept Dave Ops and Dave secops so in this case what
and Dave secops so in this case what happened we have a development team and
happened we have a development team and then we have a operation team and then
then we have a operation team and then we have a quality team and they follow
we have a quality team and they follow one concept which is called CI and CD so
one concept which is called CI and CD so during a CI we develop the module we
during a CI we develop the module we integrate the model then we release the
integrate the model then we release the module then we test the model and then
module then we test the model and then then we store in the Repository so we
then we store in the Repository so we introduce module by module in the
introduce module by module in the pipeline so we integrate the security in
pipeline so we integrate the security in the gel process why to ensure the secure
the gel process why to ensure the secure continuous deployment so this is the
continuous deployment so this is the pointer you need to know by in so what
pointer you need to know by in so what is the best way you can maintain the
is the best way you can maintain the secure continuous delivery by
secure continuous delivery by integrating Security in the gel process
integrating Security in the gel process how you ensure the security in sdlc you
how you ensure the security in sdlc you can introduce the security as early as
can introduce the security as early as possible which save time and cost
possible which save time and cost also and the best way you can ensure the
also and the best way you can ensure the Securities integrate the security
Securities integrate the security program in the sdlc that's something we
program in the sdlc that's something we can try so CM should facilitate the
can try so CM should facilitate the integration of information security with
integration of information security with it operation to ensure security is bed
it operation to ensure security is bed into the process not treated as
into the process not treated as afterthought that's a very important
afterthought that's a very important part the next important thing we talk
part the next important thing we talk about the program Communications
about the program Communications reporting and Performance Management so
reporting and Performance Management so it's very important you need to
it's very important you need to regularly update the
regularly update the stakeholders to ensure the
stakeholders to ensure the transparencies and make sure you use
transparencies and make sure you use some kind of a dashboards to present the
some kind of a dashboards to present the security facts one thing always remember
security facts one thing always remember whenever you presenting the reportings
whenever you presenting the reportings whenever you presenting the facts make
whenever you presenting the facts make sure you should have a proper Integrity
sure you should have a proper Integrity because if you don't produce with the
because if you don't produce with the facts it's a problem so cesm need to
facts it's a problem so cesm need to ensure they have a strong communication
ensure they have a strong communication skills to convey the program values and
skills to convey the program values and ensure the continuous support from
ensure the continuous support from senior
senior leadership now next thing we talk about
leadership now next thing we talk about the policy procedure and
the policy procedure and program so one thing we need to
program so one thing we need to understand that when you implementing
understand that when you implementing security program the policy is the
security program the policy is the foundation step without policy
foundation step without policy governance can be ineffective and if you
governance can be ineffective and if you want to check the maturity of any
want to check the maturity of any company the first thing you ask the
company the first thing you ask the policy document so let's say example we
policy document so let's say example we have a business we have a legal we have
have a business we have a legal we have a regulat requirement and here the
a regulat requirement and here the Senior Management has a intention they
Senior Management has a intention they have a wish the people who working on
have a wish the people who working on the operation level like people process
the operation level like people process and Technology wish to comply with the
and Technology wish to comply with the regulations legal and
regulations legal and business so first thing what we do we
business so first thing what we do we create a
create a policy so policy set the intention set
policy so policy set the intention set the expectations and directions always
the expectations and directions always remember hey guys every system must be
remember hey guys every system must be protected with the password so that's a
protected with the password so that's a policy so employee will say okay we know
policy so employee will say okay we know but what is a what is the size of the
but what is a what is the size of the password so password should be eight
password so password should be eight character that is called standard eight
character that is called standard eight character step by-step process of
character step by-step process of creating a password that is called
creating a password that is called procedure so policy is strategic in
procedure so policy is strategic in nature standard is tactical and
nature standard is tactical and operational is procedure in nature
operational is procedure in nature guideline is optional good to have and
guideline is optional good to have and any kind of a deviations we doing from
any kind of a deviations we doing from the policy make sure we should follow
the policy make sure we should follow the exception management and make sure
the exception management and make sure we document that approach so your policy
we document that approach so your policy standard may need
standard may need expectations exceptions also so we can
expectations exceptions also so we can establish the formal document process
establish the formal document process for the risk based exceptions example
for the risk based exceptions example like we have a policy no one supposed to
like we have a policy no one supposed to send data outside of the organization
send data outside of the organization standard is we should not send
standard is we should not send confidential data but in some cases we
confidential data but in some cases we have to send those data so we follow the
have to send those data so we follow the exception process we assess the risk of
exception process we assess the risk of non-compliance and then we send that and
non-compliance and then we send that and we have to do ment this exceptions
we have to do ment this exceptions because policy is sometime dynamic in
because policy is sometime dynamic in nature you cannot have an anarchy
nature you cannot have an anarchy there and policy need to be reviewed
there and policy need to be reviewed annually or in the case of major change
annually or in the case of major change in the business that's a very important
in the business that's a very important part you need to understand so a well-
part you need to understand so a well- defined policy standard support the
defined policy standard support the effective governance and when you're
effective governance and when you're building a policy the most important
building a policy the most important element is that it should have a
element is that it should have a compliance with the strictness with
compliance with the strictness with flexibility to demonstrate the Practical
flexibility to demonstrate the Practical change that something is there okay now
change that something is there okay now next thing we need to understand the
next thing we need to understand the controls I think we already discussed
controls I think we already discussed that but just for a
that but just for a Clarity so we have a preventative
Clarity so we have a preventative control which stop the incident before
control which stop the incident before they occur detective control identify
they occur detective control identify incidents corrective is address the
incidents corrective is address the impact of the incident and compensating
impact of the incident and compensating is alternative control when primary
is alternative control when primary control is insufficient but is the
control is insufficient but is the control is working effectively and
control is working effectively and that's something we assess with the help
that's something we assess with the help of VAP so ultimate goal of doing a VAP
of VAP so ultimate goal of doing a VAP testing is to check the control
testing is to check the control Effectiveness so any question talking
Effectiveness so any question talking about ultimate goal of testing ultimate
about ultimate goal of testing ultimate goal of VAP answer is demonstrating the
goal of VAP answer is demonstrating the effectiveness of the control if I'm
effectiveness of the control if I'm saying firewall is effective by doing a
saying firewall is effective by doing a vapt we assessing the firal
vapt we assessing the firal effectiveness so we regularly evaluate
effectiveness so we regularly evaluate control Effectiveness to adapt to the
control Effectiveness to adapt to the new risk and validate the controls
new risk and validate the controls aligned with the desired security
aligned with the desired security posture and by VAP we do that so cesm
posture and by VAP we do that so cesm has a task which ensure the controls
has a task which ensure the controls effectively manage the
effectively manage the risk okay optimize a defense in depth
risk okay optimize a defense in depth strategy that that actually balance the
strategy that that actually balance the cost with security need
cost with security need the question is how can we do this
the question is how can we do this controls so we introduced some kind of
controls so we introduced some kind of an automation controls which reduce a
an automation controls which reduce a human error but that demand the
human error but that demand the consistent configuration without having
consistent configuration without having a consistent configuration it is
a consistent configuration it is difficult for us to implement the
difficult for us to implement the Automation in the controls and one
Automation in the controls and one primary advantage of automation control
primary advantage of automation control is fastest way to respond to any
is fastest way to respond to any incidents another important automation
incidents another important automation we are using is sore security
we are using is sore security orchestration automation response okay
orchestration automation response okay so this word orchestration is a word
so this word orchestration is a word come from orchestra band
come from orchestra band imagine like you know you have a drum
imagine like you know you have a drum you have a piano you have a flute so
you have a piano you have a flute so everyone has to play together in such a
everyone has to play together in such a way that it creating meaningful sound
way that it creating meaningful sound music same like in the organization we
music same like in the organization we have a
have a firewall okay so we have a firewall
firewall okay so we have a firewall here and then we have a s
here and then we have a s here then we have a system a and then we
here then we have a system a and then we have a
have a sore so now what happen any incident
sore so now what happen any incident happen any incident is let
happen any incident is let me so any incident is trigger okay F
me so any incident is trigger okay F will send the logs to
will send the logs to sim that activi is basically went to a
sim that activi is basically went to a that information goes to s s basically
that information goes to s s basically feed the locks to sore SAR is basically
feed the locks to sore SAR is basically based on that it acts like a brain and
based on that it acts like a brain and according to the will try to block the
according to the will try to block the attack so here what happened all
attack so here what happened all solutions are orchestrated with the help
solutions are orchestrated with the help of sore so he take the unified approach
of sore so he take the unified approach through which he integrate and respond
through which he integrate and respond to the thing so the biggest reason of
to the thing so the biggest reason of using a s is enabling the faster thread
using a s is enabling the faster thread detection and response because they
detection and response because they follow one concept which is called run
follow one concept which is called run book the reason of introducing a sore is
book the reason of introducing a sore is the initially what happened when we used
the initially what happened when we used to have any incident on a particular
to have any incident on a particular system we always send a L1 guy there
system we always send a L1 guy there security analyst L1 to save time and all
security analyst L1 to save time and all that now we create threshold if this
that now we create threshold if this this happen they should block this if
this happen they should block this if did did this happen we block this so
did did this happen we block this so that instruction has to given in the
that instruction has to given in the sore and that instruction is called as a
sore and that instruction is called as a run book
run book okay so they follow the predefined
okay so they follow the predefined instructions for the basic incidents
instructions for the basic incidents which save time of the sock
which save time of the sock professionals there's another solution
professionals there's another solution we are using is which is called as a log
we are using is which is called as a log management system so we have a firewall
management system so we have a firewall here we have a
here we have a switch we have a system a we have a
switch we have a system a we have a system B we have a system
system B we have a system C okay now if you can notice here we
C okay now if you can notice here we have a here log management system so any
have a here log management system so any activity happened bypass the firewall
activity happened bypass the firewall when to system a b c d so if you don't
when to system a b c d so if you don't have a lock server manually we have to
have a lock server manually we have to go to firewall manually we have to go to
go to firewall manually we have to go to system a b c to collect the locks and
system a b c to collect the locks and then we have to check the lcks which
then we have to check the lcks which take time and devices does not have
take time and devices does not have enough storage to hold the huge amount
enough storage to hold the huge amount of logs that's why what happen any
of logs that's why what happen any activity happen the firewall I want one
activity happen the firewall I want one dedicated server to keep all the logs
dedicated server to keep all the logs and that's why we introduced the concept
and that's why we introduced the concept of log
of log server okay that is why we introduce the
server okay that is why we introduce the concept of log
concept of log server but problem is that now any
server but problem is that now any activity record in the fire it will not
activity record in the fire it will not store in the firewall it will be stored
store in the firewall it will be stored in the lock server lock server lock
in the lock server lock server lock server so now we have one server we keep
server so now we have one server we keep all the locks all the
all the locks all the locks but the problem is that again
locks but the problem is that again manually we have to convert the locks
manually we have to convert the locks manually we need to correlate the logs
manually we need to correlate the logs manually we need to just take time so if
manually we need to just take time so if I'm looking for the correlation purpose
I'm looking for the correlation purpose and all that then we introduce a concept
and all that then we introduce a concept which is called
which is called s
s Security in
Security in event security insent event management
event security insent event management or security information event management
or security information event management tool there's no tool in this world
tool there's no tool in this world detect the incident they detect the
detect the incident they detect the event so now what happened any activity
event so now what happened any activity happen in the firewall it go to the S S
happen in the firewall it go to the S S sim the first step what they do they
sim the first step what they do they collect the loog they normalize the
collect the loog they normalize the normalize basically mean converting log
normalize basically mean converting log into one common format then correlate
into one common format then correlate and generate the activity but again Sim
and generate the activity but again Sim only detect the threats but correlate
only detect the threats but correlate the threats respond to threats block the
the threats respond to threats block the threats so they basically send the
threats so they basically send the instruction to sore and sore based on
instruction to sore and sore based on that block the attacks and that's how
that block the attacks and that's how the security evaluation start so as a
the security evaluation start so as a cism
cism context what we need to understand here
context what we need to understand here is um automation control enhance the
is um automation control enhance the reliability and scalability and core
reliability and scalability and core aspect of program
aspect of program management so I want to show you
management so I want to show you something just give me
something just give me second so if you can see if you can see
second so if you can see if you can see the scenario you can see the very good
the scenario you can see the very good perspective is firewall protect the
perspective is firewall protect the network parameter so it inspect and
network parameter so it inspect and block the incoming outgoing Network
block the incoming outgoing Network traffic then we have a ad
traffic then we have a ad in every system which secure the
in every system which secure the individual endpoint monitor detect the
individual endpoint monitor detect the suspicious activity then we have a Sim s
suspicious activity then we have a Sim s correlate data and detect the threats
correlate data and detect the threats which aggregate the lcks from firewalls
which aggregate the lcks from firewalls EDR and based on the and then they give
EDR and based on the and then they give information to sore sore is basically
information to sore sore is basically based on that take the automatic
based on that take the automatic decisions that's how things works in the
decisions that's how things works in the organization okay now next important
organization okay now next important element we called about the third party
element we called about the third party management so third party mean we
management so third party mean we dealing with third party who providing
dealing with third party who providing me services so let's take example okay
me services so let's take example okay so this is my company
so this is my company a so we have a company a I'm conducting
a so we have a company a I'm conducting a
a sessions I'm conducting online training
sessions I'm conducting online training and for that I have relied on the vendor
and for that I have relied on the vendor which is called as a zoom or go to
which is called as a zoom or go to meeting if they are down by end of the
meeting if they are down by end of the day I'm the one who answerable to the
day I'm the one who answerable to the customer so even I'm transferring the
customer so even I'm transferring the responsibility but I'm accountable for
responsibility but I'm accountable for things example like you reach out to me
things example like you reach out to me for training right right and we agreed
for training right right and we agreed that okay from Sunday we'll have a
that okay from Sunday we'll have a session but that time zoom zoom doesn't
session but that time zoom zoom doesn't working so by end of the day I'm the one
working so by end of the day I'm the one who answerable to you so that's why in
who answerable to you so that's why in the company we have one Department which
the company we have one Department which is called as a vendor Management
is called as a vendor Management Department okay give me a second so we
Department okay give me a second so we have a department which is called as a
have a department which is called as a vendor management
vendor management department so when they onboard the
department so when they onboard the vendor they assess the vendor risk
vendor they assess the vendor risk evaluate the things and all that okay to
evaluate the things and all that okay to make sure the vendor should not impact
make sure the vendor should not impact anything so in the vendor management the
anything so in the vendor management the first step is Define the third party
first step is Define the third party risk management requirement and anything
risk management requirement and anything you basically take the services it will
you basically take the services it will do based on the contract so contract
do based on the contract so contract include the right to audit
include the right to audit clause and third is that regularly we
clause and third is that regularly we have to assess the third party
have to assess the third party compliance with slle one thing you need
compliance with slle one thing you need to make sure when you're Outsourcing a
to make sure when you're Outsourcing a Services you have to document all the
Services you have to document all the service expectation in the SLA in
service expectation in the SLA in contract if you fail to achieve the SLA
contract if you fail to achieve the SLA then it's a problem so right to audit
then it's a problem so right to audit Clause is very very important so we have
Clause is very very important so we have to ensure the vendors uphold the
to ensure the vendors uphold the security policies and establish the exit
security policies and establish the exit strategy to manage the transition that's
strategy to manage the transition that's a very important part that we need to
a very important part that we need to understand okay that's a very important
understand okay that's a very important part you need to understand another
part you need to understand another important thing we need to understand
important thing we need to understand here is the managing vendor security is
here is the managing vendor security is a critical
a critical responsibility especially in the case of
responsibility especially in the case of Outsourcing because it increas the
Outsourcing because it increas the complexity and risk and only way you can
complexity and risk and only way you can able to manage this control L by the
able to manage this control L by the contract and make sure in the contract
contract and make sure in the contract you add the right to audit Clause that's
you add the right to audit Clause that's a very important part okay
a very important part okay the next important part we call as a
the next important part we call as a compliance and enforcement so we have to
compliance and enforcement so we have to do compliance monitoring so we do
do compliance monitoring so we do continuous monitoring and then into the
continuous monitoring and then into the policies and standard and we have to
policies and standard and we have to ensure the policy compliance thoro
ensure the policy compliance thoro automate tools with periodic review so
automate tools with periodic review so compliance enforcement reduce a risk and
compliance enforcement reduce a risk and helps to meet the regulatory requirement
helps to meet the regulatory requirement and as a cesm you should create and
and as a cesm you should create and maintain the strong compliance culture
maintain the strong compliance culture and whatever you implemented you do the
and whatever you implemented you do the monitoring so we have ongoing monitoring
monitoring so we have ongoing monitoring with the help we can track the
with the help we can track the performance and detect the unusual
performance and detect the unusual activities and for instant interaction
activities and for instant interaction we use IDs and Sim I already discussed
we use IDs and Sim I already discussed IDs intrusion detection system so when
IDs intrusion detection system so when we're talking about the idas you know
we're talking about the idas you know there's a dedicated video I made on that
there's a dedicated video I made on that in idas we have a two things one is
in idas we have a two things one is called as a host based IDs one is called
called as a host based IDs one is called as a network based IDs let's say example
as a network based IDs let's say example this is my
this is my nids which I install in the border of
nids which I install in the border of the network then we have a switch here
the network then we have a switch here then we have a system a then we have a
then we have a system a then we have a system B and then we have a system
system B and then we have a system C okay so now what happen is we have a
C okay so now what happen is we have a traffic which pass through the nads nads
traffic which pass through the nads nads can track from where it is coming to
can track from where it is coming to where it is going but it will not able
where it is going but it will not able to detect what kind of a changes it
to detect what kind of a changes it introdu in a b c so for that in every
introdu in a b c so for that in every system we install the HIDs HIDs detect
system we install the HIDs HIDs detect the intrusion in each
the intrusion in each systems but the question is now how the
systems but the question is now how the IDS will detect the intrusion
IDS will detect the intrusion so first they use a
so first they use a signature and second is called as a
signature and second is called as a behavior so when the packet pass to the
behavior so when the packet pass to the nids N ID is check the signature of the
nids N ID is check the signature of the traffic and compare again the stored
traffic and compare again the stored signature if it match it is a intrusion
signature if it match it is a intrusion that is called Signature base but one
that is called Signature base but one disadvantage of signature base is that
disadvantage of signature base is that it failed to DCT the new attacks that's
it failed to DCT the new attacks that's why we introduce a second called
why we introduce a second called behavioral base which is also called as
behavioral base which is also called as anomaly so in the anomaly what happen we
anomaly so in the anomaly what happen we sending a multiple
sending a multiple packets so we believe okay this are
packets so we believe okay this are series of packet receiving so example
series of packet receiving so example like we have a server server should
like we have a server server should receive the traffic on port number 80
receive the traffic on port number 80 but we receiving a traffic on port
but we receiving a traffic on port number 23 which is not expected and it
number 23 which is not expected and it is against the Baseline so that will be
is against the Baseline so that will be record under the
record under the anomaly and we also use a vulnerability
anomaly and we also use a vulnerability assessments and identifications and
assessments and identifications and everything so as a cism
everything so as a cism candidate okay so continuous monitoring
candidate okay so continuous monitoring is essential for identifying and
is essential for identifying and addressing potential issues in real time
addressing potential issues in real time and the critical part of cism role is to
and the critical part of cism role is to maintain the effective security posture
maintain the effective security posture so we use some kind of metrics like we
so we use some kind of metrics like we use KGI kpi K to measure the progress
use KGI kpi K to measure the progress demonstrate the value so whenever the
demonstrate the value so whenever the question talking about Information
question talking about Information Security Programs we use this kpi KJ K
Security Programs we use this kpi KJ K most important is K and if you're
most important is K and if you're looking for cost benefit analysis we use
looking for cost benefit analysis we use a TCO total cost of ownership the
a TCO total cost of ownership the investment that you did and the profit
investment that you did and the profit that you earn that's called Roi return
that you earn that's called Roi return of investment example like you're
of investment example like you're spending money on cism training you
spending money on cism training you spending money on the cism certification
spending money on the cism certification that's called TCO and based on that you
that's called TCO and based on that you get a hike of $5,000 $1,000 doll that is
get a hike of $5,000 $1,000 doll that is called as a Roi return of investment so
called as a Roi return of investment so it's very important if you want to
it's very important if you want to demonstrate the information security
demonstrate the information security program values so the metrix and cost
program values so the metrix and cost analysis it can be done with the help of
analysis it can be done with the help of Investments it can be done with the help
Investments it can be done with the help of the TC and R metrics now next
of the TC and R metrics now next important thing we talk about the cloud
important thing we talk about the cloud computing very very important very
computing very very important very important okay now when we're talking
important okay now when we're talking about cloud cloud is just like an
about cloud cloud is just like an internet okay okay you know when we used
internet okay okay you know when we used to draw internet so we used to draw like
to draw internet so we used to draw like this so same we call as a cloud cloud is
this so same we call as a cloud cloud is just like that Computing is all about
processor memory CPU storage that you can access
memory CPU storage that you can access from anywhere so when we're talking
from anywhere so when we're talking about cloud computing uh it's very
about cloud computing uh it's very important for us that from a from a exam
important for us that from a from a exam perspective you need to understand one
perspective you need to understand one thing is data security data governance
thing is data security data governance is a responsibility and accountability
is a responsibility and accountability of a cloud customer physical security is
of a cloud customer physical security is a responsibility of a cloud provider
a responsibility of a cloud provider let's say example this is you a subject
let's say example this is you a subject data subject who went to the
data subject who went to the bank bank is using a third party Cloud
bank bank is using a third party Cloud for the
for the CRM okay so if if cloud is compromised
CRM okay so if if cloud is compromised data is compromised by end of the bank
data is compromised by end of the bank is the one who answerable to customer
is the one who answerable to customer it's answerable to RBI it's answerable
it's answerable to RBI it's answerable to SEC so one thing you transferring the
to SEC so one thing you transferring the responsibility but you cannot transfer
responsibility but you cannot transfer the
the accountability so when it comes to the
accountability so when it comes to the cloud okay the biggest reason of going
cloud okay the biggest reason of going for the cloud is on demand it is
for the cloud is on demand it is available whenever it required right
available whenever it required right agree and you can compare cloud
agree and you can compare cloud computing On Demand with Uber you went
computing On Demand with Uber you went you moved to New City and you new to
you moved to New City and you new to that City you don't want to own the
that City you don't want to own the car okay so you decided to use Uber on
car okay so you decided to use Uber on demand and they have a broad network
demand and they have a broad network access you can access from anywhere they
access you can access from anywhere they also offer you metrics measure Services
also offer you metrics measure Services how much you use you will do the bilding
how much you use you will do the bilding accordingly and they have a rapid
accordingly and they have a rapid scalability elasticity you need two cars
scalability elasticity you need two cars it it will be available you need one car
it it will be available you need one car it is available so these are the ideal
it is available so these are the ideal features which reflect a good cloud
features which reflect a good cloud provider now the cloud computing
provider now the cloud computing providing three type of services is pass
providing three type of services is pass and SAS so is provision the
and SAS so is provision the storage okay
storage okay memory RAM CPU sorry storage storage RAM
memory RAM CPU sorry storage storage RAM and CPU we only need to pay or billing
and CPU we only need to pay or billing will be done based how much storage I'm
will be done based how much storage I'm consuming how much RAM I'm consuming how
consuming how much RAM I'm consuming how much CPU I'm consuming I can decide as a
much CPU I'm consuming I can decide as a customer what OS I want to install or
customer what OS I want to install or application I want to install so yes you
application I want to install so yes you can say from the options point of view
can say from the options point of view uh in this case customer has a more
uh in this case customer has a more control but consider option to minimize
control but consider option to minimize the impact if cloud provider experien
the impact if cloud provider experien service Interruption it's a problem okay
service Interruption it's a problem okay second is called as a platform as a
second is called as a platform as a services platform services mean I don't
services platform services mean I don't want to own Ram CPU I don't have a time
want to own Ram CPU I don't have a time just provide me the defined computation
just provide me the defined computation I will move my application on that
I will move my application on that particular computation my expertise
particular computation my expertise doing a development I'm good with that
doing a development I'm good with that you handle the computation that is
you handle the computation that is called as a platform as a Services which
called as a platform as a Services which allow for a deployment of customer
allow for a deployment of customer created acquire application using a
created acquire application using a programming language third is called as
programming language third is called as a software services I don't want do
a software services I don't want do anything I'm a startup I want CRM so you
anything I'm a startup I want CRM so you develop the CRM you build the CRM and
develop the CRM you build the CRM and provide me as a Services because I don't
provide me as a Services because I don't have a money to spend money on the
have a money to spend money on the hardware so today I don't want to buy a
hardware so today I don't want to buy a very huge Hardware configuration with a
very huge Hardware configuration with a basic laptop I can connect to the cloud
basic laptop I can connect to the cloud and I can access any application and the
and I can access any application and the best example of SAS is Gmail Office 365
best example of SAS is Gmail Office 365 best example everything is developed by
best example everything is developed by Microsoft you just need an internet
Microsoft you just need an internet connection with the help of connection
connection with the help of connection you can connect with the cloud and
you can connect with the cloud and access your application from
access your application from anywhere okay so that's a thing so as
anywhere okay so that's a thing so as you know in AAS you have a limited
you know in AAS you have a limited control so only way you can able to
control so only way you can able to control is contract you bring try to
control is contract you bring try to bring more and more customization with
bring more and more customization with the help of contract so summary is that
the help of contract so summary is that when it comes to SS software as Services
when it comes to SS software as Services the provider manage more security aspect
the provider manage more security aspect customer focus on user access control
customer focus on user access control and data protection in the platform of
and data protection in the platform of services customer responsible for
services customer responsible for securing application they develop on the
securing application they develop on the platform in the IAS customer handle the
platform in the IAS customer handle the operating system security and
operating system security and application security data protection
application security data protection everything will be handled by the cloud
everything will be handled by the cloud customer now it's up to us how we deploy
customer now it's up to us how we deploy the services so we have four type of
the services so we have four type of deployment here the first is called as a
deployment here the first is called as a public Cloud cost
public Cloud cost effective okay but less control over the
effective okay but less control over the security like example you open the
security like example you open the Amazon you subscribe to Amazon Services
Amazon you subscribe to Amazon Services I subscribe to Amazon Services we have a
I subscribe to Amazon Services we have a common SL and everything that's called
common SL and everything that's called public Cloud it is same like me and you
public Cloud it is same like me and you are going on the same party second is
are going on the same party second is called as a private Cloud private Cloud
called as a private Cloud private Cloud mean greater controls security but high
mean greater controls security but high cost dedicated instances will be
cost dedicated instances will be available to you you build your own Data
available to you you build your own Data Center host the services hybrid is a
Center host the services hybrid is a combination public and private okay
combination public and private okay which offer flexibility but can
which offer flexibility but can introduce the integration challenge
introduce the integration challenge let's say example the company having its
let's say example the company having its own Data Center and host their own cloud
own Data Center and host their own cloud services they do their development on
services they do their development on this Zone and once the application is
this Zone and once the application is ready for a scalability reason they
ready for a scalability reason they using a public Cloud so they're using a
using a public Cloud so they're using a both that's example of hybrid
both that's example of hybrid Cloud okay so that's a example of hybrid
Cloud okay so that's a example of hybrid cloud and then you can reuse your
cloud and then you can reuse your inhouse infrastructure for some other
inhouse infrastructure for some other activities and Community cloud is like a
activities and Community cloud is like a balance a shared cost with a specific
balance a shared cost with a specific compliance need two three companies come
compliance need two three companies come together and they decided they will
together and they decided they will invest money and they will host the data
invest money and they will host the data because they don't have a budget to
because they don't have a budget to private Cloud but neither they want to
private Cloud but neither they want to go for public cloud in India the example
go for public cloud in India the example is ibcc and all that Indian Bank Cil so
is ibcc and all that Indian Bank Cil so summar is that data security governance
summar is that data security governance is the accountability of a cloud
is the accountability of a cloud customer and physical security is all
customer and physical security is all service model responsibility cloud
service model responsibility cloud provider this is all in the domain three
provider this is all in the domain three let's move to the domain four thank
let's move to the domain four thank you now next is domain four
you now next is domain four 30% of the content testable from domain
30% of the content testable from domain 4 and around 45 questions we can expect
4 and around 45 questions we can expect from domain
from domain 4 now when it comes to in Information
4 now when it comes to in Information Security inci Management very technical
Security inci Management very technical stuff okay so first we need to
stuff okay so first we need to understand the
understand the incident now incident is anything which
incident now incident is anything which impact the organization negative manner
impact the organization negative manner that is called as an incident okay and I
that is called as an incident okay and I will give an example the best
will give an example the best example
example so I have a scheduled training which
so I have a scheduled training which need to be start from 9:00 a.m.
need to be start from 9:00 a.m. I was there by 8:45 and 9:00 I was able
I was there by 8:45 and 9:00 I was able to start the session so that's an event
to start the session so that's an event so a series of activity used to achieve
so a series of activity used to achieve the business objective that is an
the business objective that is an event but I reach 95 which is against
event but I reach 95 which is against the business objective then it is an
the business objective then it is an incident so incident is anything which
incident so incident is anything which impact the organization negative manner
impact the organization negative manner now if you have a recurrence of incident
now if you have a recurrence of incident it lead to the disaster and if you don't
it lead to the disaster and if you don't give attention to disaster it lead to
give attention to disaster it lead to the
the crisis so difference between risk and
crisis so difference between risk and incident is risk is the probability but
incident is risk is the probability but in incident is a confirm
in incident is a confirm action so unexpected events impacting
action so unexpected events impacting information security or CIA that is
information security or CIA that is called as incident and the focus is on
called as incident and the focus is on management response so inent Management
management response so inent Management program fall under the risk management
program fall under the risk management it include
it include planning preparation identification
planning preparation identification containment eradication recovery which
containment eradication recovery which I'm going to discuss in the further
I'm going to discuss in the further slide so inent management is a overall
slide so inent management is a overall governance planning and coordination and
governance planning and coordination and response is a tactical actions that you
response is a tactical actions that you take okay so you can say like that
take okay so you can say like that response is a part of the Management
response is a part of the Management program okay so as a cism understanding
program okay so as a cism understanding these distinctions help in designing a
these distinctions help in designing a ProActive instent Management program
ProActive instent Management program that integrate with Enterprise risk
that integrate with Enterprise risk management and a good program is the one
management and a good program is the one which integrate with the risk management
which integrate with the risk management program now let me explain you with one
program now let me explain you with one correlation how risk management is
correlation how risk management is correlated with inser management see you
correlated with inser management see you identify the
identify the risk you evaluate and you treat I
risk you evaluate and you treat I skipped the assessment okay so some of
skipped the assessment okay so some of the treatment where the risk is within
the treatment where the risk is within an acceptable level so we have to
an acceptable level so we have to monitor
monitor that and that will be integrated to the
that and that will be integrated to the inent management because if any point of
inent management because if any point of time is going beyond the appetite and
time is going beyond the appetite and all that with the help of in management
all that with the help of in management we have to reduce the impact that is why
we have to reduce the impact that is why incident response program or inant
incident response program or inant management program is
management program is closely work with the risk man okay
closely work with the risk man okay especially residual risk now next
especially residual risk now next important thing we need to understand is
important thing we need to understand is the component of instant response plan
the component of instant response plan so identification classification of
so identification classification of incident because it is not possible for
incident because it is not possible for the one person to handle all the
the one person to handle all the incident so we always classify
incident so we always classify categories based on the urgency and
categories based on the urgency and impact so we receive two incident ticket
impact so we receive two incident ticket one ticket related to the workstation
one ticket related to the workstation one ticket related to the server so we
one ticket related to the server so we check the urgency and impact and
check the urgency and impact and according to that we take a call it is
according to that we take a call it is very important in your response plan you
very important in your response plan you must include the notification and
must include the notification and escalation
escalation process then we have a containment like
process then we have a containment like isolator system removing a virus that's
isolator system removing a virus that's called eradication restoring a system
called eradication restoring a system back to the production is
back to the production is recovery so ultimate goal of the instant
recovery so ultimate goal of the instant response plan or management plan is to
response plan or management plan is to minimize the
minimize the impact and we always look for the
impact and we always look for the facilitating the quick recovery and
facilitating the quick recovery and establish the severity criteria so as a
establish the severity criteria so as a CSM we have to ensure your IRP should be
CSM we have to ensure your IRP should be aligned with the bcpd plan and insure
aligned with the bcpd plan and insure resp response plan can be escalate to
resp response plan can be escalate to recovery if
recovery if needed now when we talking about the
needed now when we talking about the incident classification as I said
incident classification as I said incident will be classified based on the
incident will be classified based on the severity okay based on the number of
severity okay based on the number of acted systems and it is very very
acted systems and it is very very important to have a escalation process
important to have a escalation process why because when when you're defining
why because when when you're defining inent escalate to C management reporting
inent escalate to C management reporting is required and that something has to be
is required and that something has to be documented okay that's a very important
documented okay that's a very important part another important thing we always
part another important thing we always look for is proper classification
look for is proper classification escalation so we have to ensure the
escalation so we have to ensure the efficient handling and prioritization
efficient handling and prioritization because it allow seesm to maintain focus
because it allow seesm to maintain focus on incidents that align with the
on incidents that align with the Enterprise risk
Enterprise risk appetite and we have some some
appetite and we have some some terminologies here like we are using Sim
terminologies here like we are using Sim which Aggregate and correlate the events
which Aggregate and correlate the events then we introducing a new solution which
then we introducing a new solution which is called Ed Dr and xdr we already
is called Ed Dr and xdr we already discussed let's say example this is my
discussed let's say example this is my firewall and we connected with the
firewall and we connected with the switch and here we have a system
switch and here we have a system a so now what
a so now what happened we have IP we able to bypass
happened we have IP we able to bypass the firewall and went to the switch to a
the firewall and went to the switch to a if you talk about traditional antivirus
if you talk about traditional antivirus it detect the
it detect the virus okay in the file and based on that
virus okay in the file and based on that it react but if virus bypass the
it react but if virus bypass the antivirus and trying to modify the
antivirus and trying to modify the system memory system application I want
system memory system application I want to block in that level that is why in
to block in that level that is why in every system we install the
every system we install the EDR so E stand for endpoint d stand for
EDR so E stand for endpoint d stand for detection and respond so whenever any
detection and respond so whenever any memory Stacks any kind of modification
memory Stacks any kind of modification attemp Ed will try to block that but now
attemp Ed will try to block that but now it basically bypass a b c and all that
it basically bypass a b c and all that so for that we basically use the xdr so
so for that we basically use the xdr so xdr is work on the network
xdr is work on the network level and it aggregate that alerts and
level and it aggregate that alerts and according to that it will block the
according to that it will block the attack on the firewall and everything so
attack on the firewall and everything so ADR work on the endpoint specific but
ADR work on the endpoint specific but xdr work on the overal network we also
xdr work on the overal network we also have MDR MDR mean third party will
have MDR MDR mean third party will deploy the solution in your
deploy the solution in your organization okay so that is something
organization okay so that is something is called as a MDR which Outsource
is called as a MDR which Outsource security monitoring response services to
security monitoring response services to third party so as cism you have to be
third party so as cism you have to be familiar with these
familiar with these Technologies because selecting a tool
Technologies because selecting a tool that improve detection tracking
that improve detection tracking resolution is part of the need of the
resolution is part of the need of the organization now when you plan your in
organization now when you plan your in management and this is the most most
management and this is the most most important part you have this is called
important part you have this is called your insurent management cycle or
your insurent management cycle or life so first part is called as a
life so first part is called as a planning and preparation do not skip
planning and preparation do not skip that and there's a dedicated coffee shot
that and there's a dedicated coffee shot I made on this okay so first is called
I made on this okay so first is called as a planning and preparation so in this
as a planning and preparation so in this stage we create a
stage we create a policy okay create a
policy okay create a policy uh we acquire the management
policy uh we acquire the management support okay and we develop the user
support okay and we develop the user awareness so we conduct the research we
awareness so we conduct the research we build the checklist we develop the
build the checklist we develop the communication plan and awareness
communication plan and awareness training that's something we do in the
training that's something we do in the planning and preparation step second is
planning and preparation step second is called as a detection triager
called as a detection triager investigation in this we detect the
investigation in this we detect the incident we prioritize the incidents we
incident we prioritize the incidents we implement the ideas uh we conduct the
implement the ideas uh we conduct the participations and more important
participations and more important we also talking about here is instant
we also talking about here is instant response functions and everything and we
response functions and everything and we conduct the logs Audits and everything
conduct the logs Audits and everything that will be done in this particular
that will be done in this particular stage
stage now next thing is called as a
now next thing is called as a containment containment analysis is all
containment containment analysis is all about tracking and Recovery we execute
about tracking and Recovery we execute the containment strategy Contin strategy
the containment strategy Contin strategy mean isolate a system we perform the
mean isolate a system we perform the forensic analysis we executing a
forensic analysis we executing a recovery procedure in line with
recovery procedure in line with Enterprise business continu disaster
Enterprise business continu disaster recovery and we also
recovery and we also determine uh the source of incident and
determine uh the source of incident and post uh parameter that is part of a
post uh parameter that is part of a containment so we isolate a system we
containment so we isolate a system we analyze the criticality we track and we
analyze the criticality we track and we restore the system back to the
restore the system back to the production ction and finally we have a
production ction and finally we have a post insent assessment ultimate goal of
post insent assessment ultimate goal of post insant assessment is to conduct the
post insant assessment is to conduct the postmortem exactly what happened at what
postmortem exactly what happened at what time how well did the staff management
time how well did the staff management perform dealing with the incidents okay
perform dealing with the incidents okay uh where the document procedure has been
uh where the document procedure has been followed is it educate how to improve
followed is it educate how to improve that and then we have a incant closure
that and then we have a incant closure ultimate goal of post incent assessment
ultimate goal of post incent assessment is to improve the overall program so I
is to improve the overall program so I repeat again detection is to uh confirm
repeat again detection is to uh confirm and validate so if you get a question in
and validate so if you get a question in which particular State we confirm the
which particular State we confirm the incident the answer is Det only if
incident the answer is Det only if anyone has reported incident the first
anyone has reported incident the first step is to confirm the incident that's
step is to confirm the incident that's called detection then we follow the tri
called detection then we follow the tri tri t r i a g
tri t r i a g triage triage is basically very
triage triage is basically very important part okay because triage help
important part okay because triage help you to prioritize and everything okay so
you to prioritize and everything okay so during the prioritizations we rate the
during the prioritizations we rate the incidents and then we track and then we
incidents and then we track and then we investigate further and then we isolate
investigate further and then we isolate a system then we do analysis because we
a system then we do analysis because we can't do the investigations or analysis
can't do the investigations or analysis uh in the live environment so we isolate
uh in the live environment so we isolate a system then we do analysis we restore
a system then we do analysis we restore the system back to the state and then we
the system back to the state and then we do the post incident and then we have a
do the post incident and then we have a incident closure incident closure is
incident closure incident closure is very important okay because instant
very important okay because instant closures give you the detailed reports
closures give you the detailed reports about everything okay so that we're
about everything okay so that we're going to discuss in the further slide so
going to discuss in the further slide so this is important and confirm from the
this is important and confirm from the perspective okay it's very very
perspective okay it's very very important and you should have a very
important and you should have a very good understanding of this particular
good understanding of this particular process okay so
process okay so please understand this properly it's a
please understand this properly it's a very important
very important part now I want your attention on this
part now I want your attention on this slide it's very important the first step
slide it's very important the first step is called as a
is called as a preparation so this phase prepare the
preparation so this phase prepare the organization develop the IRP prior to
organization develop the IRP prior to the incident sufficient preparation
the incident sufficient preparation facilitate the smooth execution so
facilitate the smooth execution so preparation is if the question talking
preparation is if the question talking about in which stage we establish the
about in which stage we establish the policy we establish the approach we
policy we establish the approach we establish a communication plan we
establish a communication plan we develop the process we develop the
develop the process we develop the criteria to report the inent everything
criteria to report the inent everything building governance about inent
building governance about inent management comes in the preparation step
management comes in the preparation step second is called as identification this
second is called as identification this phase aim to verify if if if any
phase aim to verify if if if any incident has happened and find more
incident has happened and find more details about it example like some user
details about it example like some user has reported virus virus virus it is not
has reported virus virus virus it is not necessary okay I will go and I will
necessary okay I will go and I will report that issue it will not be like
report that issue it will not be like that okay so we have to first confirm
that okay so we have to first confirm okay first we need to confirm it's true
okay first we need to confirm it's true or not that is called as a
or not that is called as a identification because not all reports
identification because not all reports are valid okay as I said not every
are valid okay as I said not every incident is a sorry not every event is
incident is a sorry not every event is an incident but every incident is a
an incident but every incident is a event right so activity in this stage we
event right so activity in this stage we assign the ownership we verify the
assign the ownership we verify the reports we establish the chain of
reports we establish the chain of custody we determine the severity of the
custody we determine the severity of the incidents and all that then we have a
incidents and all that then we have a containment okay it's confirm the system
containment okay it's confirm the system is infected with the virus isolate a
is infected with the virus isolate a system immediately I don't want you know
system immediately I don't want you know just doing a continuous
just doing a continuous investigation uh you know during that
investigation uh you know during that time so containment is very important
time so containment is very important because uh with the help of containment
because uh with the help of containment we can isolate a system and we can
we can isolate a system and we can reduce the impact the reason of doing a
reduce the impact the reason of doing a containment is to make sure the infected
containment is to make sure the infected in system should not do the damage to
in system should not do the damage to other systems you know it seem like if
other systems you know it seem like if if we find any person is a covid we
if we find any person is a covid we isolate a person immediately from the
isolate a person immediately from the family so he will move to one room so
family so he will move to one room so after incent has been identified and
after incent has been identified and confirmed the most important part is we
confirmed the most important part is we do the detail assessment we contact the
do the detail assessment we contact the system owner and we isolate a system
system owner and we isolate a system immediately
immediately from the network and here we notifying
from the network and here we notifying the appropriate stakeholders also before
the appropriate stakeholders also before you isolating any huh definitely we need
you isolating any huh definitely we need to obtain the agreement on actions
to obtain the agreement on actions because it can affect the availability
because it can affect the availability we have to get the it representative we
we have to get the it representative we have to obtain and preserve the evidence
have to obtain and preserve the evidence and forensic activity happen in the
and forensic activity happen in the containment stage then we have a
containment stage then we have a eradication eradication where we remove
eradication eradication where we remove the virus we remove the things which is
the virus we remove the things which is basically creating a cause so we
basically creating a cause so we determine the sign and cause of an
determine the sign and cause of an incident we locate the most recent
incident we locate the most recent version of backups we remove all the
version of backups we remove all the root cause okay we remove the virus and
root cause okay we remove the virus and everything and then we restore the
everything and then we restore the system back to the production now listen
system back to the production now listen carefully here with the business owner
carefully here with the business owner we agree in 4 hour we restore so with
we agree in 4 hour we restore so with the following that metrix we have to
the following that metrix we have to make sure we have to restore that only
make sure we have to restore that only so here we also follow the
so here we also follow the Bia okay Bia business impact analysis
Bia okay Bia business impact analysis and finally we have a lesson learn
and finally we have a lesson learn lesson learn mean we should learn lesson
lesson learn mean we should learn lesson from every incident which help me to
from every incident which help me to improve the overall process example like
improve the overall process example like in this incident the people has reported
in this incident the people has reported an incident late night and that time
an incident late night and that time there is no team of us available so
there is no team of us available so thankfully now if any incident has been
thankfully now if any incident has been reported so we we got to know okay we
reported so we we got to know okay we need to hire one person which work in
need to hire one person which work in the evening sheet which helped me to
the evening sheet which helped me to overall improve my inent management
overall improve my inent management program so at the end of the instant
program so at the end of the instant response process a report should be
response process a report should be developed to share with what is happened
developed to share with what is happened okay what measures has been
okay what measures has been taken the result after the plan was
taken the result after the plan was executed as a part of a report so the
executed as a part of a report so the part of report should contain the lesson
part of report should contain the lesson learn that provide the IMT and other
learn that provide the IMT and other stakeholders valuable learning point and
stakeholders valuable learning point and what could have been done better and
what could have been done better and these lessons should be develop into
these lessons should be develop into plan to enhance the instant management
plan to enhance the instant management capability so we write the inent reports
capability so we write the inent reports we analyze the issues which is
we analyze the issues which is encountered during the instant response
encountered during the instant response plan and we we also what you call um
plan and we we also what you call um propose the Improvement based on the
propose the Improvement based on the issues that we encounter so that
issues that we encounter so that something is done in the face so answer
something is done in the face so answer is creating a policy everything part of
is creating a policy everything part of preparation identify the incident is a
preparation identify the incident is a part of identification confirm the
part of identification confirm the incident part of identification isolate
incident part of identification isolate a system from the network part of
a system from the network part of containment remove the virus from a
containment remove the virus from a system part of
system part of eradication uh then we have a recovery
eradication uh then we have a recovery we restore the system back to the
we restore the system back to the production and then we have a overall
production and then we have a overall lesson what is the lesson we have
lesson what is the lesson we have learned one more important thing
learned one more important thing containment is a temporary recovery is a
containment is a temporary recovery is a permanent that's something we have to
permanent that's something we have to understand now next important thing is
understand now next important thing is element of in insulin response plan so
element of in insulin response plan so from a season context should ensure the
from a season context should ensure the content strategy Define in advance and
content strategy Define in advance and communicate effectively to mitigate
communicate effectively to mitigate incident and incent reviews are crucial
incident and incent reviews are crucial for continuous uh Improvement so we have
for continuous uh Improvement so we have to make sure we enable the CM to enhance
to make sure we enable the CM to enhance the security controls and refine the
the security controls and refine the response
response strategy and by doing the post review
strategy and by doing the post review and all that we can able to improve the
and all that we can able to improve the overall function so we have to maintain
overall function so we have to maintain some
some documents okay accurate record of
documents okay accurate record of incident is unfold so it's very useful
incident is unfold so it's very useful because with the help of that you can
because with the help of that you can have a clear timelines which help you to
have a clear timelines which help you to identify root cause why this happen how
identify root cause why this happen how this happened undocumented changes May
this happened undocumented changes May introduce new risk okay and we have to
introduce new risk okay and we have to make sure we preserve the evidence which
make sure we preserve the evidence which required The Unbroken chain of custody
required The Unbroken chain of custody chain of custody means the sequence in
chain of custody means the sequence in which you maintain the evidence so let's
which you maintain the evidence so let's say
say example uh PR is the one who collected
example uh PR is the one who collected the evidence at
the evidence at 7:40 and I hand over the evidence to
7:40 and I hand over the evidence to Smitha at 9:30 Smita hand over evidence
Smitha at 9:30 Smita hand over evidence to SEMA at 10 so we maintain one form in
to SEMA at 10 so we maintain one form in which we document the timeline and along
which we document the timeline and along with the hash value like at 7:00 p.m.
with the hash value like at 7:00 p.m. 7:00 a.m. and I collected the evidence
7:00 a.m. and I collected the evidence the hash value was
the hash value was at7 when I hand over the evidence to
at7 when I hand over the evidence to Smitha the hash value was at7 when
Smitha the hash value was at7 when Smitha hand over to SEMA the hash value
Smitha hand over to SEMA the hash value was 9B it mean during a Transit of SEMA
was 9B it mean during a Transit of SEMA to uh SMI or SMI SM SM to Sima the
to uh SMI or SMI SM SM to Sima the evidence got altered so when you submit
evidence got altered so when you submit the evidence in the code you have to
the evidence in the code you have to submit the chain of custody form that's
submit the chain of custody form that's why I say whenever possible use
why I say whenever possible use standardization format which is easy to
standardization format which is easy to understand lesson Lear learn during in
understand lesson Lear learn during in can be improve the security practice and
can be improve the security practice and take time to review what happen so
take time to review what happen so according to that you can able to
according to that you can able to improve the functions another important
improve the functions another important thing we use is forensic investigation
thing we use is forensic investigation it's very important part okay forensic
it's very important part okay forensic is very important the important
is very important the important consideration of instant response team
consideration of instant response team is forign six which refer to Gathering
is forign six which refer to Gathering of evidence but the question is how to
of evidence but the question is how to gather the evidence so we follow one
gather the evidence so we follow one concept which called bit bybit image of
concept which called bit bybit image of the system how so we have a system
the system how so we have a system a and and here we have a hacker hacker
a and and here we have a hacker hacker basically hacked into
basically hacked into system we isolate a system so first
system we isolate a system so first thing what we did we did the ghost
thing what we did we did the ghost image okay so we did the ghost image
image okay so we did the ghost image when we did the ghost image we did the
when we did the ghost image we did the bit by bit image of the system so first
bit by bit image of the system so first we dump the
memory first we dump the memory because if you shut down the data shut down the
if you shut down the data shut down the system you will lose the data lose the
system you will lose the data lose the data in the memory so first we dump the
data in the memory so first we dump the memory then we create a ghost image of
memory then we create a ghost image of the system and how to create a ghost
the system and how to create a ghost image bit by bit system is it clear the
image bit by bit system is it clear the reason why if you do bit by bit it can
reason why if you do bit by bit it can capture the exact state of a system
capture the exact state of a system which capture your deleted files
which capture your deleted files unallocate custers and all that and
unallocate custers and all that and never ever do the investigation live
never ever do the investigation live system always do the investigation the
system always do the investigation the copy of the systems so if scenarios in
copy of the systems so if scenarios in which legal action is likely identified
which legal action is likely identified there should be procedure need to be
there should be procedure need to be documented and more important inent
documented and more important inent Response Team should brainstorm the
Response Team should brainstorm the scenarios and write them into the
scenarios and write them into the actions so always remember isolate
actions so always remember isolate system system from a network first by
system system from a network first by removing a network cable dump the memory
removing a network cable dump the memory and then we make a ghost image which is
and then we make a ghost image which is called bit by bit image of the system
called bit by bit image of the system that something is a practice we have to
that something is a practice we have to follow now next important element is
follow now next important element is called whatever the plan you created you
called whatever the plan you created you have to test the plan okay so testing
have to test the plan okay so testing increase a likelihood the plan will work
increase a likelihood the plan will work by assessing the technical soundness of
by assessing the technical soundness of the plan we increase each participant
the plan we increase each participant familiarity with the plan so during a
familiarity with the plan so during a testing we focus on Gap identifications
testing we focus on Gap identifications okay we identifying gaps we verify the
okay we identifying gaps we verify the assumptions so example like when I say
assumptions so example like when I say testing the difference between the
testing the difference between the testing and exercises testing is
testing and exercises testing is checking pass or fail exercise is all
checking pass or fail exercise is all about realistic activity if in the plan
about realistic activity if in the plan it is mentioned the the person will get
it is mentioned the the person will get a report in two days we have to test
a report in two days we have to test that is it working or not so by doing a
that is it working or not so by doing a testing we identifying the Gap we
testing we identifying the Gap we verifying the assumptions we validate
verifying the assumptions we validate the time lines we determine the
the time lines we determine the effectiveness and more important we
effectiveness and more important we determine the accuracy ultimate goal of
determine the accuracy ultimate goal of testing the plan is to update the plan
testing the plan is to update the plan because it's not necessary I will be
because it's not necessary I will be always available in the company in my
always available in the company in my absence someone should follow the plan
absence someone should follow the plan blindly so that's why we say when we
blindly so that's why we say when we have to do the testing the testing
have to do the testing the testing should be done on a regular basis or at
should be done on a regular basis or at least annually so we have a different
least annually so we have a different type of test that we need to
type of test that we need to understand so next is basically called
understand so next is basically called as a type of test because we need to
as a type of test because we need to test the plan and it is very important
test the plan and it is very important for your preparation so when you're
for your preparation so when you're talking about type of test the first is
talking about type of test the first is called a checklist review we start with
called a checklist review we start with checklist review only we distribute the
checklist review only we distribute the checklist we distribute the document to
checklist we distribute the document to all the team heads and we tell them just
all the team heads and we tell them just check whether your area of section is
check whether your area of section is okay or
okay or not is it clear so in the ultimate goal
not is it clear so in the ultimate goal of checklist review is to ensure they
of checklist review is to ensure they are current once they say okay yes all
are current once they say okay yes all steps are okay then we have a structure
steps are okay then we have a structure walkth through where the team members
walkth through where the team members physically implement the plan on paper
physically implement the plan on paper and review eight steps then we have a
and review eight steps then we have a simulation test where we prepare the
simulation test where we prepare the disaster scenario without activating a
disaster scenario without activating a recovery
recovery site fire fire drill is example of
site fire fire drill is example of simulation it has little bit impact then
simulation it has little bit impact then we have a parallel test parallel test we
we have a parallel test parallel test we do on the alternate side and best side
do on the alternate side and best side for testing is hot site okay and here
for testing is hot site okay and here the recovery site is bought up a state
the recovery site is bought up a state of operation Readiness and but primary
of operation Readiness and but primary site continue as a normal and then we
site continue as a normal and then we have a full Interruption test that's
have a full Interruption test that's something we do on the production site
something we do on the production site so if you take a example
so if you take a example here so this is my primary
here so this is my primary site and this is my alternate site Okay
site and this is my alternate site Okay so so when you're doing parallel test we
so so when you're doing parallel test we doing parall test on the alternate sites
doing parall test on the alternate sites how we basically ensure can we able to
how we basically ensure can we able to move services from primary to secondary
move services from primary to secondary as early as possible we verify the RTO
as early as possible we verify the RTO can be achieved within a
can be achieved within a MTD and once we ensure okay my this site
MTD and once we ensure okay my this site is okay then we do the test on the
is okay then we do the test on the primary site that is called as a
primary site that is called as a parallel test sorry that is then we do
parallel test sorry that is then we do the test on the primary side that's part
the test on the primary side that's part of a full Interruption test so ultimate
of a full Interruption test so ultimate goal is to validate the plan so testing
goal is to validate the plan so testing should start simply and increase
should start simply and increase gradually as stretching the objective
gradually as stretching the objective and success criteria but make sure we
and success criteria but make sure we should do all these things with a
should do all these things with a limited impact that's basically the
limited impact that's basically the minimum priority we have
minimum priority we have okay so that's there now next important
okay so that's there now next important thing we need to understand the
thing we need to understand the BCP BCP is very very important now
BCP BCP is very very important now before I discuss BCP in detail let me
before I discuss BCP in detail let me first discuss the definition so we have
first discuss the definition so we have a BCP and we have a d
a BCP and we have a d DRP BCP is a plan which talk about how
DRP BCP is a plan which talk about how to sustain the business in the case of
to sustain the business in the case of disaster and DRP talk about how to
disaster and DRP talk about how to recover the IT service in the case of
recover the IT service in the case of disaster let's take example this is
disaster let's take example this is me and I'm taking a training from home
me and I'm taking a training from home and this is you as a
and this is you as a customer okay you are in different
customer okay you are in different different locations so we all are
different locations so we all are connected by the network internet
connected by the network internet links I know for me the training on
links I know for me the training on weekday is very critical so we have a
weekday is very critical so we have a training from 7: to 12 and mostly take
training from 7: to 12 and mostly take the training from 7 to 12 so I can use
the training from 7 to 12 so I can use my rest of the day for my activities so
my rest of the day for my activities so I have to make sure in this during that
I have to make sure in this during that time internet should not be down
time internet should not be down power should not be down but what
power should not be down but what happened when start the session internet
happened when start the session internet was down power is down thankfully I have
was down power is down thankfully I have a UPS and I have a rendent ISP
a UPS and I have a rendent ISP connections by which I can continue the
connections by which I can continue the operation but problem is that I know I
operation but problem is that I know I cannot drive the session for long so I
cannot drive the session for long so I call my friend and I ask him is is power
call my friend and I ask him is is power is there or electricity is there he said
is there or electricity is there he said yes so during the lunch time I moved to
yes so during the lunch time I moved to my friend house and from there I took
my friend house and from there I took the session so all these activities what
the session so all these activities what I'm doing is
I'm doing is Dr okay but ultimate goal is what
Dr okay but ultimate goal is what sustain the business continue the
sustain the business continue the business so BCP is the umbrella and Dr
business so BCP is the umbrella and Dr is a part of the umbrella there's a
is a part of the umbrella there's a dedicated video I made okay on BCP do
dedicated video I made okay on BCP do check that so when you're creating a BCP
check that so when you're creating a BCP program the first step is create a
program the first step is create a policy we already
policy we already discussed Second Step called as a Bia
discussed Second Step called as a Bia definitely in the case of disaster it is
definitely in the case of disaster it is not possible for me to protect
not possible for me to protect everything so I have to identify what is
everything so I have to identify what is critical what is not understand bi in
critical what is not understand bi in this way when we're talking about our
this way when we're talking about our old
old houses okay so where we don't have a
houses okay so where we don't have a generator or UPS concept so our dad used
generator or UPS concept so our dad used to say or Mom used to say okay beta or
to say or Mom used to say okay beta or okay guys you want to study right huh so
okay guys you want to study right huh so what is a necessary thing in the case of
what is a necessary thing in the case of power failure Papa I want a fan to be
power failure Papa I want a fan to be operate and I want a light in the
operate and I want a light in the hall so this is something is critical
hall so this is something is critical for me and according to that I went to
for me and according to that I went to Market and buy the ups for that and we
Market and buy the ups for that and we only give a critical connections to that
only give a critical connections to that so in the case of power failure only fan
so in the case of power failure only fan and light will work up the hall
and light will work up the hall definitely you can't run AC fridge and
definitely you can't run AC fridge and everything so this is how that that
everything so this is how that that visibility we get when we bi so bi
visibility we get when we bi so bi basically all about what is critical
basically all about what is critical what is not so then in the case of
what is not so then in the case of disaster we can able to focus on
disaster we can able to focus on critical first so in Bia we have a three
critical first so in Bia we have a three metrics
metrics MTD
MTD RTO RPO so MTD is all about the
RTO RPO so MTD is all about the acceptable
acceptable downtime RTO is the time you take to
downtime RTO is the time you take to restore the services and RPO is the
restore the services and RPO is the acceptable data loss let's say example
acceptable data loss let's say example is one day what happened my wife while
is one day what happened my wife while coming back from her office she told me
coming back from her office she told me feeling hungry and make sure in 30
feeling hungry and make sure in 30 minutes cook something so that 30
minutes cook something so that 30 minutes is the Ultima ultimatum for me
minutes is the Ultima ultimatum for me okay the 30 minutes is the ultimatum for
okay the 30 minutes is the ultimatum for me make sure we have to make everything
me make sure we have to make everything in 30 minutes so I called zato and they
in 30 minutes so I called zato and they say 20 minutes they will deliver the
say 20 minutes they will deliver the that's my
that's my RTO so maximum tolerable downtime is 30
RTO so maximum tolerable downtime is 30 minutes because if wife reach home in
minutes because if wife reach home in the 30 minute then it's a problem and
the 30 minute then it's a problem and then in that case risk cannot be recover
then in that case risk cannot be recover so I got to know my stakeholder is
so I got to know my stakeholder is coming around 30 minutes before that the
coming around 30 minutes before that the service should be there so that's why we
service should be there so that's why we order from zat to our food aggregator
order from zat to our food aggregator app the food was available in 20 minutes
app the food was available in 20 minutes and by this way I will I I can I can
and by this way I will I I can I can able to demonstrate my kitchen
able to demonstrate my kitchen continuity services to my wife so same
continuity services to my wife so same thing happened the server is running the
thing happened the server is running the server is
server is down at 11 MTD we have agreed is 4 hours
down at 11 MTD we have agreed is 4 hours so we have a time till 3: but by 2 I was
so we have a time till 3: but by 2 I was able to restore the service that is my
able to restore the service that is my RTO a good BCB plan is a one where the
RTO a good BCB plan is a one where the RTO should not exceed the MTD and third
RTO should not exceed the MTD and third part is called as RPO recovery Point
part is called as RPO recovery Point objective recovery Point objective
objective recovery Point objective acceptable data loss in the case of
acceptable data loss in the case of disaster so we said the RP is 2 hour so
disaster so we said the RP is 2 hour so 9:00 a.m. we took the backup 11 we can
9:00 a.m. we took the backup 11 we can take the next backup at 11:15 the server
take the next backup at 11:15 the server was down so when I restore the server
was down so when I restore the server three the last backup I can restore is
three the last backup I can restore is 11 and maximum data loss we have agreed
11 and maximum data loss we have agreed is 2 hour but in this case the loss is
is 2 hour but in this case the loss is 15 minutes so MTD and RPO set by the
15 minutes so MTD and RPO set by the business owner so during a bi we
business owner so during a bi we identify what is critical and all that
identify what is critical and all that and then based on that we we identify
and then based on that we we identify preventative control and create a
preventative control and create a contingency strategy we go for hot site
contingency strategy we go for hot site cold site warm site and then we get an
cold site warm site and then we get an approval from the management on that we
approval from the management on that we then create Dr plan we test the plan and
then create Dr plan we test the plan and then we update the plan so that's how
then we update the plan so that's how the Bia works now another important
the Bia works now another important thing we talk about here is
thing we talk about here is uh purpose of Bia Bia identify critical
uh purpose of Bia Bia identify critical assets determine the impact on
assets determine the impact on disruption and set the RTO so key
disruption and set the RTO so key element is identify functions and
element is identify functions and dependencies and deter the required
dependencies and deter the required recovery time to data loss and tolerance
recovery time to data loss and tolerance so from CM context bi findings helps to
so from CM context bi findings helps to cism to align the inent response also
cism to align the inent response also and business Contin need because based
and business Contin need because based on Bia we can able to prioritize the
on Bia we can able to prioritize the recovery based on the
recovery based on the criticality Dr is a plan that we create
criticality Dr is a plan that we create so we Dr is all about recovery strategy
so we Dr is all about recovery strategy we develop the D recovery plan which
we develop the D recovery plan which cover the logistics roles and contact
cover the logistics roles and contact informations and side selection coost
informations and side selection coost location recovery need is very important
location recovery need is very important part but the most important part
part but the most important part is risk tolerance next important thing
is risk tolerance next important thing as a cism okay are responsible for
as a cism okay are responsible for ensure the Dr plan are align with the
ensure the Dr plan are align with the business need and make sure it should be
business need and make sure it should be periodically test for the effectiveness
periodically test for the effectiveness so we have a different type of Dr site
so we have a different type of Dr site the first is called as a hot site now
the first is called as a hot site now what is hot site so let me explain with
what is hot site so let me explain with the example so we have a site
the example so we have a site one and we have a site two
one and we have a site two okay site two okay so hot site mean
okay site two okay so hot site mean active
active passive so site one has a people process
passive so site one has a people process technology has a data but site two have
technology has a data but site two have people process technology with partial
people process technology with partial data currently everything is happening
data currently everything is happening from the site one everything is
from the site one everything is happening from a site one if site is
happening from a site one if site is down we can move the recent data to site
down we can move the recent data to site two and from there we can continue the
two and from there we can continue the operation that is my hot
operation that is my hot site
site okay second is called as a mirror site
okay second is called as a mirror site mirror site means active active if site
mirror site means active active if site one is down continue from site two that
one is down continue from site two that is called mirror site War site is
is called mirror site War site is basically mean we have HX systems we
basically mean we have HX systems we have a rack in the case of disaster we
have a rack in the case of disaster we have to move server and make it as an
have to move server and make it as an operational that is called as a warm
operational that is called as a warm site okay and then we have a cold we
site okay and then we have a cold we have nothing nothing we have to move
have nothing nothing we have to move everything there and that is basically
everything there and that is basically called as a cold site okay and finally
called as a cold site okay and finally we have mobile site portable site you
we have mobile site portable site you can move from one location to other
can move from one location to other location I'm sure you have seen the big
location I'm sure you have seen the big trucks in which we have a data center
trucks in which we have a data center which can be move from one location to
which can be move from one location to other locations so that's something we
other locations so that's something we are
are using hope it is clear to everyone now
using hope it is clear to everyone now next important part we need to
next important part we need to understand is that whatever the plan we
understand is that whatever the plan we creating we have to test that so role
creating we have to test that so role Based training should be done testing
Based training should be done testing type can be tabletop simulations we do
type can be tabletop simulations we do and we check the RTO kpis metrics to
and we check the RTO kpis metrics to check the things so regular training
check the things so regular training okay regular trainings ensure the
okay regular trainings ensure the Readiness in helping the season to go
Readiness in helping the season to go the instant maturity and justify The
the instant maturity and justify The Continuous support okay the next thing
Continuous support okay the next thing is called as a RTO as I said maximum ex
is called as a RTO as I said maximum ex downtime MTO longest time system can be
downtime MTO longest time system can be un avilable and sdo is a level of
un avilable and sdo is a level of service needed during the recovery so
service needed during the recovery so let me explain you with the examples so
let me explain you with the examples so you get a better visibility because I've
you get a better visibility because I've seen a lot of people struggle on this
seen a lot of people struggle on this area I I always use V diagram it's a v
area I I always use V diagram it's a v website V zo and he's one of my good
website V zo and he's one of my good friend so I'm using his reference here
friend so I'm using his reference here so here what happen your system is
so here what happen your system is working in every 2 hour we're taking a
working in every 2 hour we're taking a backup and suddenly there was a
backup and suddenly there was a disruption now I'm able to trying to
disruption now I'm able to trying to restore but I'm able to restore some of
restore but I'm able to restore some of the service which is 60% 60% service I
the service which is 60% 60% service I was able to restore and with that I can
was able to restore and with that I can continue my business that is my sdo
continue my business that is my sdo service delivery
service delivery objective okay is you can see another if
objective okay is you can see another if there is a power failure happened the it
there is a power failure happened the it came back but it came in phases it
came back but it came in phases it cannot run anything it cannot run
cannot run anything it cannot run everything so we can run some basic
everything so we can run some basic things so that acceptable things is
things so that acceptable things is called as a sdo service delivery object
called as a sdo service delivery object with that I can continue my
with that I can continue my operations and then at one point in time
operations and then at one point in time I restore everything so from the
I restore everything so from the downtime till the full restoration that
downtime till the full restoration that time is called as a
time is called as a AIW okay but the time till accept sdo
AIW okay but the time till accept sdo that is by uh you know parameter I'm
that is by uh you know parameter I'm taking about the downtime and from the
taking about the downtime and from the RTO to the full recovery that is called
RTO to the full recovery that is called as a MTO MTO stand for maximum tolerable
as a MTO MTO stand for maximum tolerable outage okay and overall downtime that we
outage okay and overall downtime that we agreed was AIW and and then I restore
agreed was AIW and and then I restore the functions the same thing what we
the functions the same thing what we discussed so I repeat
discussed so I repeat again the service was down I was able to
again the service was down I was able to restore the
restore the services and that exal Services I
services and that exal Services I basically 60% with that I can run my
basically 60% with that I can run my business and that is my sdo service
business and that is my sdo service delivery objectives and with that I can
delivery objectives and with that I can continue my operations on the alternate
continue my operations on the alternate site before that I have to restore if I
site before that I have to restore if I don't restore before after this it's a
don't restore before after this it's a problem and I restore at this point that
problem and I restore at this point that is basically called as a recovered
is basically called as a recovered and from the downtime till the downtime
and from the downtime till the downtime this this is called my
this this is called my AIW okay that's how it basically we plan
AIW okay that's how it basically we plan so as I said we are using this
so as I said we are using this particular Matrix to validate the
particular Matrix to validate the functions okay we also use another
functions okay we also use another important thing called ioc and ioa ioc
important thing called ioc and ioa ioc ioa is called like list of attacks
ioa is called like list of attacks happening on my network like this attack
happening on my network like this attack is coming from 1.1.1 that has been
is coming from 1.1.1 that has been recorded in the firewall that is called
recorded in the firewall that is called as a ioa but same IP was recorded and
as a ioa but same IP was recorded and confirmed in one of my system locks that
confirmed in one of my system locks that is called ioc so IO ioa before attack
is called ioc so IO ioa before attack and ioc is basically after the attack as
and ioc is basically after the attack as an Evidence so we are using this metrix
an Evidence so we are using this metrix okay to measure the effectiveness and
okay to measure the effectiveness and everything that is something part of the
everything that is something part of the program like relatives are coming to the
program like relatives are coming to the house is ioa but based on that they
house is ioa but based on that they confirm the marriage proposal and you
confirm the marriage proposal and you got married that's ioc and so your
got married that's ioc and so your cousins got this opportunity they leave
cousins got this opportunity they leave the place so understanding these metrics
the place so understanding these metrics allow cm to set the realistic
allow cm to set the realistic expectation measure the incident impact
expectation measure the incident impact and maintain the continuous
and maintain the continuous Improvement so forensic is very
Improvement so forensic is very important we have to ensure the data
important we have to ensure the data Integrity during in investigation
Integrity during in investigation collection is a very important step
collection is a very important step notify the legal regulatory before doing
notify the legal regulatory before doing any in investigations okay that's a very
any in investigations okay that's a very important
important part uh documentation is important in
part uh documentation is important in the entire Inc management process
the entire Inc management process because it provide the audit Trails for
because it provide the audit Trails for incent handling and it also support the
incent handling and it also support the lesson learn and it's very important you
lesson learn and it's very important you should summarize the incident from
should summarize the incident from management highlights and everything
management highlights and everything that's a well maintained documentation
that's a well maintained documentation reports justify the inent response
reports justify the inent response investment and it also helps to
investment and it also helps to communicate the inant insights to the
communicate the inant insights to the management and stakeholders that's why
management and stakeholders that's why documentation is very important okay
documentation is very important okay it's it's it's it's actually very
it's it's it's it's actually very important now it's very important to
important now it's very important to have a risk management with instant
have a risk management with instant handling so instance are unprevented
handling so instance are unprevented risk that materialize and handling
risk that materialize and handling should focus on containing risk without
should focus on containing risk without escalation so it's very important you
escalation so it's very important you have to integrate with the Assurance so
have to integrate with the Assurance so you have to link the instant management
you have to link the instant management with the other risk Assurance function
with the other risk Assurance function for the compreh iens risk coverage so
for the compreh iens risk coverage so according to that you can able to take
according to that you can able to take the calls and that is why inent
the calls and that is why inent management is a component of overall
management is a component of overall risk management because the risk that
risk management because the risk that identified mitigated and all that the
identified mitigated and all that the resal risk need to be tracked properly
resal risk need to be tracked properly is it clear so resal risk is a risk
is it clear so resal risk is a risk which is left after implementing control
which is left after implementing control so we have to monitor the res should not
so we have to monitor the res should not exceed okay see earthquake is part of my
exceed okay see earthquake is part of my risk residual but if I occur we need to
risk residual but if I occur we need to have a inant response
have a inant response plan so you have to make sure the inent
plan so you have to make sure the inent management process should be aligned
management process should be aligned with the Enterprise goals that's one
with the Enterprise goals that's one thing and if it's aligned then only we
thing and if it's aligned then only we have a buy and approval from the Senior
have a buy and approval from the Senior Management so as an instant management
Management so as an instant management should not only mitigate risk but also
should not only mitigate risk but also enhance the organization resilience and
enhance the organization resilience and require the cism professional to
require the cism professional to communicate its strategic importance to
communicate its strategic importance to the leadership
the leadership skills okay so I want to show you one
skills okay so I want to show you one diagram okay so here you can see we have
diagram okay so here you can see we have a instant risk management where we
a instant risk management where we identify analyze and develop the
identify analyze and develop the mitigation
mitigation plan and we decided okay we need to
plan and we decided okay we need to monitor some res risk
monitor some res risk okay and for that we introduce a BCP
okay and for that we introduce a BCP plan we want a BCP update because any
plan we want a BCP update because any trigger happen we need a BCP plan or any
trigger happen we need a BCP plan or any issue happen with that residual risk
issue happen with that residual risk when you have incent management plan Tri
when you have incent management plan Tri inent response and Recovery that's
inent response and Recovery that's that's how this corelation basically
that's how this corelation basically works
works okay so it's very important how you
okay so it's very important how you validate each and everything so next is
validate each and everything so next is called as a review and process okay so
called as a review and process okay so conduct the formal review after
conduct the formal review after insurance to identify the improvements
insurance to identify the improvements and track the incident response time
and track the incident response time cause of incidents success rate that's a
cause of incidents success rate that's a very important part because continuous
very important part because continuous Improvement is a very important part of
Improvement is a very important part of the functions because by doing a
the functions because by doing a continuous Improvement you can you can
continuous Improvement you can you can enable to refine the response strategy
enable to refine the response strategy reduce the instant impact and also
reduce the instant impact and also demonstrate the value to the inst
demonstrate the value to the inst management team so this is all from my
management team so this is all from my side but before I want to wind up I want
side but before I want to wind up I want to tell you one thing some important
to tell you one thing some important things first Your Role is a manager Your
things first Your Role is a manager Your Role is not to implement
Role is not to implement anything you will will get 240 minutes
anything you will will get 240 minutes to answer 150 questions so time is not
to answer 150 questions so time is not an enemy go for 50
an enemy go for 50 questions 50 minutes 10 minutes break 50
questions 50 minutes 50 questions 50 minutes so in 1 15 minutes sorry in 60
minutes so in 1 15 minutes sorry in 60 60 60 in 180 minutes you complete the
60 60 in 180 minutes you complete the 150 questions so now you left with
150 questions so now you left with another 60 Minutes that 60 minutes you
another 60 Minutes that 60 minutes you can take to review your weak areas time
can take to review your weak areas time is not an enemy read the question
is not an enemy read the question carefully eliminate two options and then
carefully eliminate two options and then Focus your energy in other two options
Focus your energy in other two options that's basically the beauty about this
that's basically the beauty about this exam do let me know how do you find this
exam do let me know how do you find this special video and it's an it's an effort
special video and it's an it's an effort and Investments which I do for my
and Investments which I do for my students and it is a free and uh I will
students and it is a free and uh I will wait for your feedback and do let me
wait for your feedback and do let me know in the comment box shall I make a
know in the comment box shall I make a video on cisa and C risk in the same
video on cisa and C risk in the same format thank you so much good day bye
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
