Domain 1 - Alignment of Security Function to Business Strategy
Download a FREE Printable PDF of all the CCSP MindMaps!
Your information will remain 100% private. Unsubscribe with 1 click.
Transcript
Introduction
Hey, I’m Rob Witcher from Destination Certification, and I’m here to help you pass the CCSP exam. In this MindMap, we’ll be reviewing the major topics related to the alignment of security function to business strategy in Domain 1. I’ll show you how these topics relate to one another, to help you understand how it all fits together.
Plus at the end of this video I’ll show you where you can download a PDF version of all these MindMaps - including a printable version you can use to take notes while watching these videos!
This is the second of five videos for Domain 1. I have included links to the other MindMap videos in the description below. These MindMaps are just a small part of our complete CCSP MasterClass.
Alignment of Security Function to Business Strategy
Moving to the cloud is ultimately a business decision. The usage of cloud services must be aligned with business goals and objectives. In other words the usage of cloud services must help the business achieve its goals and objectives. Cloud services obviously need to be secured, but secured to what degree? Should every possible security control be implemented? Probably not. But how do we figure this out? Again, by understanding business goals and objectives which will dictate what the security requirements are. So, we need to spend a few minutes here talking about things like governance, the focus of security, and policies.
Corporate Governance
Alright, so starting high-level, let's start with corporate governance. Corporate governance is the system of rules, practices and processes by which an organization is directed and controlled to achieve its goals and objectives that are typically focused on increasing the value of the organization.
So, fundamentally, corporate governance is about ensuring an organization has clear goals and objectives and everyone in the company is aligned towards achieving those goals and objectives.
Security Governance
Security governance is the system of rules, practices and processes by which the security function is directed and controlled. A crucial part of security governance is aligning the security function to the overall organizational goals and objectives. So that security can help the business achieve its goals and objectives. So that security is an enabler for the business. This is something crucial that we always need to keep in mind as security professionals–our job is to help the business achieve its goals and objectives–to be an enabler for the business. And this obviously applies to the usage of cloud. Cloud services must help the organization achieve its goals and objectives.
Focus of Security
So, now you know the focus of security: to help the organization achieve its goals and objectives.
Enable Business
To be an enabler to the business. To think about where cloud service could be beneficial to the organization.
Increase Value
To help increase the value of the organization.
Goals of Information Security
The overall goals of information security apply to the cloud.
Confidentiality
Confidentiality is focused on preventing unauthorized disclosure of information. Ensuring that sensitive information is accessed only by authorized individuals and kept away from those who do not have the right to see it.
Integrity
Integrity is focused on preventing unauthorized or unexpected changes to data. Ensuring that information is accurate and complete and has not been tampered with or altered by unauthorized individuals.
Availability
Availability is focused on ensuring information is available to make decisions–ensuring that information and resources are accessible to authorized users when needed.
Clearly Defined Roles & Responsibilities
An absolutely critical part of governance is having clearly defined roles and responsibilities. This is especially true in the cloud. The vast majority of cloud is public cloud, which means a customer is outsourcing much of the management and the protection of their systems and data to a service provider. So it’s absolutely crucial that there are clearly defined roles and responsibilities. That it’s crystal clear what the cloud service provider is responsible for and what the consumer is accountable and responsible for.
I already covered accountability and responsibility in the last video, but they are so critical to understand that they bear briefly repeating here.
Accountability
Accountability means the ultimate ownership of something. Remember, accountability can never be delegated. So if an organization decides to move something to the cloud, they remain accountable for the security of that asset, no matter what. The cloud service provider will never be accountable for a customer’s systems and data–they will only be responsible.
Responsibility
Responsibility can be delegated. The responsible party will implement and enforce controls based on the direction of those that are accountable, the cloud consumer.
Privacy
Privacy is not a massive topic on the CCSP exam, but it is large enough to warrant its own MindMap. So for now I’ll simply say you cannot achieve privacy without security and we’ll talk more about privacy in domain 6.
Corporate Laws
Lets now get into an important discussion of policies. Policies are essentially corporate laws. Policies are how we direct behavior within an organization. Policies tell people what they must do.
Overarching Security Policy
he overarching security policy defines an organization's overall approach to security. The overarching security policy is provided and supported by the board of directors and senior management. The policy defines the goals and objectives for the security function and ensures security is aligned with the overall business goals and objectives.
Functional Security Policies
Functional security policies, on the other hand, are more detailed policies that address specific security requirements and practices, such as access control, encryption, incident response, and data backups. An organization will have a functional policy for each of these, and many more.
Good policies are easy to read documents that state simple rules, such as: personal data stored in the cloud must be encrypted.
A critical requirement when using cloud services, is that an organization must determine what policies will be applicable to cloud services.
Policies are corporate laws. Policies tell people, and service providers, what they must do.
Standards
Standards define specific mandatory hardware and software mechanisms–for example an organization's standard might state that the Advanced Encryption Standard (AES) with a 128-bit key must be used as a minimum for all personal data stored in the cloud.
Procedures
Procedures are step-by-step mandatory actions. For example, an organization could have a procedure for how AES is used, how keys are generated, how initialization vectors (IVs) are created, what plaintext preparation is done, etc.
Procedures are a step-by-step set of instructions or actions for how to do something–like encrypt data with AES.
Baselines
Baselines are minimum levels of security, and they define mandatory configurations for security mechanisms and products–for example an organization could have a configuration baseline for virtual machines–VMs. The configuration baseline is essentially a checklist of all the things that need to be done to correctly configure and lock down a VM before it is put into production. For example, the configuration baseline would require that at a minimum, the host based-firewall be enabled, certain patches installed, that a guest OS virtualization toolset is installed and configured correctly, and so on.
Guidelines
Guidelines are recommended actions. Listen carefully here, guidelines are not mandatory–they define what someone should do–not what someone must do. Guidelines are useful when an organization knows they should be doing something but they haven’t fully implemented it yet. For example, the organization might want to have multi-factor authentication for all administrative accounts, but if there are systems that don’t support that yet, the organization is setting itself up for failure if they create a mandatory requirement of MFA for admin access on all systems. Instead, the organization can create a guideline–it would be good to have MFA for admin access to all systems, but it’s not a requirement. Yet.
Risk Management
And the final item here is risk management–an incredibly important topic that most definitely deserves its own dedicated MindMap, which is coming up next!
And that is an overview of the alignment of the security function to business strategy within Domain 1, covering some of the most important concepts you need to know for the exam.
Something really cool we are providing with these MindMap videos is a completely FREE downloadable version of all the MindMaps in PDF format.
We even include a blank version of each MindMap in case you want to print them out and take notes as you listen along. Link to download the MindMaps is in the description below.
So check it out, I think you’ll find it really helpful in your studies!
If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.
If you’re looking for the easiest way to achieve your CCSP certification, then checkout our CCSP MasterClass. Link is in the description below.
All the best in your studies!