Information Security Management Concepts Explained | TryHackMe

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on YouTube welcome back to this video today we're doing try hack me and today's video is kind of non-technical so we're still in the security engineer track in try Hackney um so we reached this room governess and regulation so basically as the title suggests it is kind of non-technical room we will not be typing any commands in the terminal we will not be doing any CTF in this room it is just to explain uh cyber security management Concepts or Information Security Management Concepts these concepts are very necessary for a security engineer to understand in order to you know operate in an environment where you are part of an information security department Additionally the terms and the concepts we're going to outline in this video are very important if even if you are preparing for a certification such as cism so there is certification cism certified information security manager uh now if you're preparing for this certification or even preparing for cissb certified information security system security professional these concepts are very uh important for these certifications because they are kind of uh in the management spectrum of the cyber security that are non-technical but what we're going to do we are not going to uh bore you guys what with through reading these uh to reading these tasks we're not going to do that we're just going to explain briefly what every concept what does every concept mean and we're going to take examples and at the end we're going to take the challenge here at the view site so it all starts with these terminologies so basically we have the information security governance so before we talk about information security governance it's essential we understand something called the data governance which is not mentioned in this task so data governance is how the organization handles data basically if there's a data governance policy uh it will actually take ownership of the data so basically by specifying a data retention policy okay uh for how long the data is retained in the organization how the data is deleted or how data is wiped what are the policies and what are the security measures that are implemented to protect the data this is called Data governance now if you move on to information security governance here we actually mean how we govern in information security in the organization how we Implement information security it is not that um I know it's kind of heavy term to say governance of information security but it's all about um you know handling information security or however machine security is implemented in the organization so basically we talk about information security governance we talk about these components strategy policy and procedures risk management performance measurement and compliance so and information security department must develop an information security governance or must actually handle or have or has policies to uh to govern information security so basically to govern information security what we do we just create policies procedures we Define a strategy we assess the risk and we monitor the performance information security regulations so regulation guys regulation is a law or rule okay it's a law a rule that is actually imposed by a regulation entity for example I some of the examples can be the gdpr gdpr is a regulation so it is uh actually you know regretted by European union and you also have the HIPAA HIPAA is a us-based for healthcare Industries you have PCI DSS for governing the finance sector and you have the Grammy spilly act it's also for finance sector these are called regulations which means organizations that fall under these regulations or under the domain that these regulations um a cover so are actually obliged to comply with these regulations so it's kind of mandatory to comply with these regulations otherwise there are fines and penalties of non-compliance so regulations and information security are something not to ignore or neglect and should be part of any information security program so that's what we said earlier that here in the information security governance to govern information security there's this part complies the compliance is where we make sure that organization is compliant with information security regulations okay the term used for legal and Regulatory Frameworks that govern the use and protection information assets is called regulation health insurance portability and accountability act targets which domain for data protection it's the healthcare so to sum this up guys in an information security department we create an information security program okay so in the information security program part of the program is being in compliance with these regulations so these are regulations they just they are not just there to impose fines and make profit off on the back of organizations if they are not compliant with Corsa these regulations are there to help organizations protect their assets assets could be digital or non-digital okay now that's the broader broader definition of a compliance regulation so it's there to guys instruct the company's organizations how to protect the digital assets our even non-digital assets how to protect the information assets every asset that stores processes sends or transmits information is considered as an asset that needs protection so part of the information security program is to be in compliance with these regulations okay so there is this now information security framework now if we don't read these and we summarize the framework in one word so basically a framework guys is a set of documents so if we scroll down here so this is the framework set of documents so these documents are concerned with handling with handling the security and governance of an organization so basically an information security framework is uh or actually can be developed to Aid you in creating the information security program so as part of an information security program you will need an information security framework that will outline how the information security is implemented and basically it consists of these components so the policies mainly security policies also the standards the requirements so a standard is a requirement a document containing requirements for for example protecting your digital assets or non-digital assets guidelines the guidelines are best practices and the how to it contains the best practice and the how-to to actually implement the policies and standards the procedures you know self-explanatory is specific steps to perform a process or task and lastly we have the baselines the baselines can be called as the minimum standards or the minimum criteria for a specific policy or a standard so this is the framework so Frameworks come in various shapes and for the rice sectors some example of framework could be the governance and compliance framework you also have the nist framework which we will talk about in a bit so a framework again a framework is not a regulatory it's not a regulation it is a framework it's not compulsory to be in compliance as a framework it's not here to be to make you compliant the framework is created to help you be in compliance with the information security regulations an example of a security framework is the governance and risk the governance risk and compliance the governor's risk and compliance it's actually to handle governance risk management and compliance so when you create a Governor's risk and compliance framework you actually cover risk management recover compliance and recover governance so again in governance we set the direction of the information security strategy the policies the procedures the Frameworks the the guidelines the data all of that is handled by governess and then we perform risk management and then we put components to be in compliance and thus we create information security or a governance risk and compliance framework so here this is an example of GRC framework in a financial sector so we have the governance component so the governance component we set the direction we set the strategy that will govern all of the other components so why are we creating a GRC framework in the first place what's the objective what's the goal what are the policies that will be created by the governors by the framework all of that falls under the governance components and then we have the risk management now nearly risk management is part of every framework you will create so whether you create a GRC framework Yourself by following these steps or whether you follow a specific framework from the industry you will see risk management so risk management nearly is part of every information security framework I only have complies so any information security framework should actually help you be in compliance with [Music] um information security regulations so remember guys that information security framework a framework is different from a regulation okay a framework is a set of policies procedures guidelines standards that will help you be in compliance okay mitigate risks and govern the information security department or the information security um strategy okay that is a framework so you may not you may not create a governance risk and compliance from it you may follow other Frameworks such as let's go here because I have all of them here let's see the Frameworks we have okay so an example of framework is let's see these are yeah we have this NISD server security framework so an IST guys is a framework that any organization can follow okay to ensure the confidentiality Integrity availability of an availability of their digital assets or non-digital assets so basically there is the application 853 which is security and privacy controls for information systems and organizations so this is this I've learned this kind of these kind of Frameworks are this was such a framework helps you and helps you to stay in compliance with the regulations udpr PCR DSS depending on your industry helps you protect your information assets uh of course they have a risk management components instant response and other security controls so these Frameworks should be part of your information security program beside an overall information security governance that creates or sets the strategy and data protection so this is a gtpr gtpr is a regulation okay it is a regulation not a framework it is an information security or privacy and data protection regulation that and that applies on companies and organizations in the European Union but who are these organizational companies if these organizational companies handle stored process or transmit customer data or personal information of the customer they must comply with gdpr by following its practices and of course as in the case with any information security regulation or data protection regulation if you are not compliant with the regulation you will have fines also you have the payment card industry this is for financial organizations Banks what's the maximum fine we didn't answer the the previous ones so the step that involves periodic evaluation of policies and making changes as per stakeholders input is called it is the review on update so review on update is a step that you take guys while you create a broader information security framework you have to regularly visit the framework update its policies the procedures as per the requirements a set of specific steps for undertaking a particular task or process called the procedure um what's the component in the GRC framework involved in identifying assessing and prioritizing risks to the organization is risk management is it important to Monitor and measure the performance of a developed policy of course yes privacy and data protection here is the question about the fines that the organization will incur if it is not in compliance so what's the maximum fine for Tier 1 users it is four percent so Tier 1 tier two are tiers to impose fines on organizations that are non-compliant so tier one handles the organizations that are in severe violations meaning the organizations that don't actually are totally not in compliance not in compliance with the framework or with the regulation these organization organizations don't have policies or specific um measures or controls to protect the privacy of the data and we have tier two due to contains or as imposed on organizations that may have policies but uh later on or later down the road may actually suffer from data breaches and fail to notify the customers this is tier 2 which carries less fines than tier one is two percent of the overall Revenue in terms of PCI DSS what does CHD stand for it's called cardholder data an ist we mentioned an ist a while ago it is a framework okay it's an information security framework that organizations can't follow okay to protect the information assets now what these Frameworks handle actually what these Frameworks handle differ from a framework to a framework not all Frameworks handle the same category and little Frameworks can be implemented or followed by all organizations so depending on your organization industry the objectives and the goals for example nist handles a wide array of information assets and scenarios it covers for example protection controls against intentional attacks cyber attacks unintentioned errors human errors natural disasters infrastructure failures foreign intelligence activity and privacy concerns okay paired nist 853 in which control category does the media protection lie it is the physical as you can see they are here you can also visit the main documentation for nist to take a look at all the requirements so it is a document of 492 pages it's a reference for organizations so media protection it is under the physical controls the instant responds it's under the administrative controls and lastly which phase compliance best practices results in correlating identified assets and permissions it's the map so in map we might we mapped identified assets of the organization every organization has different assets so we map the assets it could be endpoints computer systems where data warehouses so we mapped these assets we map also the permissions who have got access to these assets so we mapped them with the best practices or the security controls we call this the map phase and lastly Information Security Management and compliance additional Frameworks they are the soc2 framework it's not a security Operation Center it is service organization control it is similar to nist and also you have the iso standard that can be followed okay to actually plan create and develop an information security management system ISR isms so as you can see guys there are different Frameworks and standards to follow when you are actually implementing information security program and a governance program so there are some questions used to answer let's see which ISO component involves selecting and implementing controls to reduce identified risks to an acceptable level it's risk treatment as you can see risk management is nearly part of every framework in stock 2 generic controls which control shows that the system remains available its availability so all of these remember guys all of these Frameworks their main objective is to protect the CRA Triad which is which is confidentiality integrity and availability of the information Assets Now what you framework you choose it depends on the business objectives the goals the scenario the industry all of these factors should be taken to consideration When selecting an information security framework or a standard to follow so when you follow these Frameworks guys you follow them when you are creating an information security program okay so you follow these standards to create security policies procedures to be in compliance and to govern your data unless we have the conclusion let's click on The View site and take this fun challenge skip the guided tour I'm gonna take you guys on this tour so basically these bubbles represent the vulnerabilities so when I hover over as you can see here receiver every color we have the classification of different ability for example the red color refers to phishing emails the blue color refers to all the light blue color refers to a man in the middle attacks the green color refers to that leakage so on and so forth we have the Rockets here the Rockets are the controls we have to aim the Rockets to the appropriate vulnerability using the Harpoon here for example we have the secure connections where we should aim or where we should apply this rocket so efficient emails we have man in the middle actually it is implemented on management attacks because secure connections make the communication or the packets encrypted which means even if the attackers manage to get access or to sniff the data they will not be able to see through the contents because it is encrypted but unfortunately we have to get past this wall here phishing emails so first we have to crack technician emails or to patch the vulnerability of phishing emails by using user awareness rocket so user awareness is part of any information security program it's actually part of all of the information security Frameworks regardless of the framework you choose so you will Implement user awareness if you are following one of these Frameworks so let's show you the awareness and aim at the phishing emails okay so we got this now you have a question which of the following is a valid nist publication dealing with security and privacy controls for information systems and organizations we mentioned that it is nist 853 okay now we can aim oh we're under this time yeah because I'm explaining everything in the task there's not going to be enough time so skip tour let's aim fast oops oh okay and I see okay next we have management attack we're going to take the secured connections and aim okay and we have unpatched software so we can use patch management which of the following Frameworks primarily as assists in Information Security Management and compliance sock 2 gdpr it's for data leakage so you can aim a data leakage to prevent data leakage we use gtpr and lastly service organization control it's for unregulated non-compliant aim that and we have this flag so that was it guys if you want more information about or more details about cyber security management Concepts you can visit my notes through Channel membership I hope you enjoyed the video guys and definitely I'm gonna see you later to carry on the rest of the rooms
Info
Channel: Motasem Hamdan
Views: 217
Rating: undefined out of 5
Keywords:
Id: E1e8OStBPJ4
Channel Id: undefined
Length: 25min 7sec (1507 seconds)
Published: Mon Sep 18 2023
Related Videos
The MITRE ATT&CK Framework Explained | Threat Intelligence and Modeling | Part 1
Motasem Hamdan
919
The Pyramid of pain Explained | Complete Tutorial | TryHackMe
Motasem Hamdan
726
Cyber Threat Intelligence Platforms | OpenCTI | TryHackMe
Motasem Hamdan
299
Microsoft Office Word Document Malware Analysis | HackTheBox Diagnostic
Motasem Hamdan
183
TryHackMe | John The Ripper
Pablo Pedrajas LIVE
675
Server Side Template Injection (SSTI) Explained | HackTheBox Neonify
Motasem Hamdan
323
Command Injection Explained | OWASP TOP 10 | HackTheBox LoveTok
Motasem Hamdan
324
Exploiting Pluck CMS and Linux Privilege Escalation | TryHackMe Dreaming
Motasem Hamdan
389
Adobe - Figma Acquisition Failed! Too Good To Be True? | Figma Case Study
Biz Doc Podcast
4.6K
Inside The Armenia’s Tech Revolution & Rise of AI Startups with Rem Darbinyan
Eye on AI
37
Terraform بالعربي with George Fahmy & Ahmed Elemam - Building k8s production ready Application
Ahmed Elemam
156
Analyzing Malicious Microsoft Office Word Malware | HackTheBox Emo
Motasem Hamdan
560
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.