1 00:00:00,005 --> 00:00:01,009 - [Narrator] As a business function, 2 00:00:01,009 --> 00:00:04,003 information security must align itself 3 00:00:04,003 --> 00:00:06,006 with the many other functions taking place 4 00:00:06,006 --> 00:00:08,007 inside an organization. 5 00:00:08,007 --> 00:00:10,005 I already talked about some of the routine 6 00:00:10,005 --> 00:00:13,003 management tasks that information security leaders 7 00:00:13,003 --> 00:00:16,000 take on when managing human resources 8 00:00:16,000 --> 00:00:17,008 and financial budgets. 9 00:00:17,008 --> 00:00:19,007 Those are pretty much the same concerns 10 00:00:19,007 --> 00:00:23,000 that any other manager in the organization has. 11 00:00:23,000 --> 00:00:25,007 Let's take a look at the specific business processes 12 00:00:25,007 --> 00:00:28,000 that have a security impact. 13 00:00:28,000 --> 00:00:31,003 First, information security must align itself 14 00:00:31,003 --> 00:00:34,002 with the governance processes of the organization. 15 00:00:34,002 --> 00:00:36,001 These governance processes take place 16 00:00:36,001 --> 00:00:38,001 at many different levels. 17 00:00:38,001 --> 00:00:40,006 They may consist of an information governance committee 18 00:00:40,006 --> 00:00:42,001 that includes senior leaders 19 00:00:42,001 --> 00:00:44,002 with oversight of information security 20 00:00:44,002 --> 00:00:46,006 and data governance functions. 21 00:00:46,006 --> 00:00:49,005 The organization may also have a risk management committee 22 00:00:49,005 --> 00:00:51,005 consisting of executives charged 23 00:00:51,005 --> 00:00:54,001 with managing all risks to the organization 24 00:00:54,001 --> 00:00:55,008 from any source. 25 00:00:55,008 --> 00:00:59,003 In publicly traded companies and non-profit organizations, 26 00:00:59,003 --> 00:01:01,000 the most senior level of governance 27 00:01:01,000 --> 00:01:04,001 is typically an independent board of directors, 28 00:01:04,001 --> 00:01:07,006 board of trustees, or similar senior governing body 29 00:01:07,006 --> 00:01:09,005 with elected members. 30 00:01:09,005 --> 00:01:12,006 No matter what the governance structure of the organization, 31 00:01:12,006 --> 00:01:14,005 security leaders must determine 32 00:01:14,005 --> 00:01:17,006 the best ways to integrate information security 33 00:01:17,006 --> 00:01:20,002 into governance processes. 34 00:01:20,002 --> 00:01:22,002 At a minimum, this means making sure 35 00:01:22,002 --> 00:01:23,004 that those responsible 36 00:01:23,004 --> 00:01:25,005 for the governance of the organization 37 00:01:25,005 --> 00:01:27,003 understand the security risks 38 00:01:27,003 --> 00:01:30,000 facing the organization and the controls 39 00:01:30,000 --> 00:01:32,009 put in place to manage those risks. 40 00:01:32,009 --> 00:01:35,000 Governing groups should also be informed 41 00:01:35,000 --> 00:01:37,007 of any security incidents that take place 42 00:01:37,007 --> 00:01:39,009 and review the results of audits 43 00:01:39,009 --> 00:01:42,003 performed at the organization that include 44 00:01:42,003 --> 00:01:44,004 security consideration. 45 00:01:44,004 --> 00:01:46,005 There's no one size fits all model 46 00:01:46,005 --> 00:01:48,000 for security governance, 47 00:01:48,000 --> 00:01:50,003 and you'll need to figure out how to best address 48 00:01:50,003 --> 00:01:53,002 security concerns within the specific context 49 00:01:53,002 --> 00:01:55,000 of your organization. 50 00:01:55,000 --> 00:01:57,004 Another corporate process that requires 51 00:01:57,004 --> 00:01:59,002 security involvement comes from 52 00:01:59,002 --> 00:02:01,008 the acquisition of other companies. 53 00:02:01,008 --> 00:02:03,009 In some industries it's quite common 54 00:02:03,009 --> 00:02:05,009 for businesses to buy other businesses 55 00:02:05,009 --> 00:02:09,009 and then seek to quickly fold them into the parent company. 56 00:02:09,009 --> 00:02:12,003 Each acquisition presents a unique set 57 00:02:12,003 --> 00:02:15,000 of circumstances, and security professionals 58 00:02:15,000 --> 00:02:18,000 from both organizations should get together 59 00:02:18,000 --> 00:02:20,006 to evaluate the security controls in place 60 00:02:20,006 --> 00:02:22,004 at each organization 61 00:02:22,004 --> 00:02:24,009 and figure out how to eliminate redundancies 62 00:02:24,009 --> 00:02:29,000 and ensure compatibility between security systems. 63 00:02:29,000 --> 00:02:30,005 This can be a little bit tricky, 64 00:02:30,005 --> 00:02:33,006 especially when the staff at one organization 65 00:02:33,006 --> 00:02:35,004 fears that they may be laid off 66 00:02:35,004 --> 00:02:37,006 as a result of the acquisition. 67 00:02:37,006 --> 00:02:40,001 Threats to a team's continued employment 68 00:02:40,001 --> 00:02:44,003 can have a very serious negative impact on productivity. 69 00:02:44,003 --> 00:02:46,008 Similarly, companies sometimes undergo 70 00:02:46,008 --> 00:02:48,006 divestitures where they spin off 71 00:02:48,006 --> 00:02:51,006 a part of the business as a separate organization. 72 00:02:51,006 --> 00:02:54,000 In those cases, individuals staying 73 00:02:54,000 --> 00:02:56,004 with the divested company must ensure 74 00:02:56,004 --> 00:03:00,004 that the new organization has adequate controls in place. 75 00:03:00,004 --> 00:03:02,002 Those staying with the parent company 76 00:03:02,002 --> 00:03:05,005 will need to ensure that all security ties are cut 77 00:03:05,005 --> 00:03:08,001 and that there isn't any unintentional access 78 00:03:08,001 --> 00:03:11,000 left over for employees who leave the company 79 00:03:11,000 --> 00:03:12,003 with the divestiture.