This next module is the beginning of Module 3 in this domain, and it talks to program activities. If you're just beginning this module, I want you to pause it, go get yourself a cup of coffee and a couple of cookies because we're going to cover about 30 slides, give or take a few, in this module. What are some of the administrative activities that go into program management? Well, first of all, monitoring the program. Short term branding, long range planning, the day-to-day activities, you may be called upon to be the facilitator when it comes to resolving conflict or competing objectives. We have to define the personnel, the roles, responsibilities, the skill set, the culture of the organization. We have to do security awareness, training, and education. Make sure that everybody in the organization is trained and more specifically what their roles are with respect to security. Every employee will be required to sign a acceptable use policy and that basically defines for all of the employees what they can and cannot do, what is acceptable from an organizational perspective. We also have to make sure that everyone is aware of the ethics. What are the code of ethics? That might be something you need to develop and that should be reviewed with each employee as well as part of the information security management program and their participation in it. We need them sign, their acceptance of the code of ethics and that should be part of their employee folder. Documentation for the program is critical. What were the objectives of the program, a copy of the roadmap, all of the business cases, what resources were needed, controls, budgets, architectures, all of the paperwork, policies, standards, procedures, guidelines, as well as all of the indicators, key performance indicators, key goal indicators, key risk indicators, and critical success factors. We also have to be the program developer and the program manager. We do gap analysis, we do timelines and budget, and we measure against the timeline in that budget. Understanding that depending on where we are, what environment, what application, some areas will need more controls than other, and it's up to us to prioritize the different projects that are going on within this program. We have to do risk management. We have to know how to do risk management, when to do risk management, how to identify threats and vulnerabilities. What the risk management approach is for the organization. In terms of do we do qualitative analysis, or quantitative analysis, or a semi-quantitative analysis? How do you assess and understand incidents and impacts, and how we track all of this information? Everything that we do in security, any time we want to spend money, we need to develop a business case, and that basically is just introducing to the organization a way of thinking. The fact that we're doing justification for the controls, cost benefit analysis and objectively measuring any subsequent achievement of that control. Part of what goes into this program activity as well is the whole idea that we have to do budgeting. It's not just once to put the program together, it's continually so that we can support this information security program throughout its life cycle. What goes into the budget? Time, contractor, consultant fees, equipment, space, documentation, ongoing maintenance. What are some of the different practices that we do when we do program management? Well, first of all, problem management. What is the problem? How do we resolve it? Who's responsible? When does it need to be resolved? Vendor management: you're going to be buying controls, getting services from different vendors, how do you manage that relationship? How do we evaluate the information security program, or its objectives, or its compliance requirements? How do you operate it? Were there any programs? What resources did you need? When you look at the program objectives, did you achieve those objectives? Were the controls implemented? Did they work? Were there any shortfalls? Have their annual or periodic reviews of the objectives and the accomplishments. When we're evaluating compliance requirements, one of the easy things is to get auditing involved to see if you are in compliance with laws, rules, regulations, and company standards. You look at the recent audit or the compliance review, that's going to help drive and support your information security program. If you're evaluating program management, have the roles and responsibilities been defined? Are the business units themselves involved? Do you have effective metrics? When you're evaluating operations, are there basic statement? Are there standard operating procedures for the security controls? Technical security management. Do we have technical standards in place and are they uniformly implemented? Are we doing separation of duties when it comes to things like system administrators, DBAs, and network administrators. How are we evaluating whether or not we have the appropriate resources for our information security management program, financial, human or technical. Anything that we do in addition to business case, we need to adhere to the quality approach of plan do, check, and act. Plan your information security management system , then do something, implement the controls for the risks that you identified in the planning phase, and then check those controls to see if they're working. If they're not, take some action to correct them and then go back and start over again. From a legal regulatory requirement, we need to know what the law and regulations are plus you need to have something new comes down or any changes in that because that affects our compliance and our security program. We need to understand the physical and environmental factors and how those affect confidentiality, integrity, and availability. Next slide. Personal computers need to be protected physically and environmentally, as well as the data center because they are portable and they have some unique challenges, theft, loss, not being protected while they are at home, geographical concerns, where are you because there are different vulnerabilities based upon where you are in the world. Speaking of being in different places in the world, we need to understand what the different cultural religious aspects are, what the different regional variations are, because you may get into a country, and I'm thinking particularly about some places like Africa, the UAE. They have very distinct cultural differences when it comes to the implementation of some controls. The other thing that we have to consider in terms of administrative activity are all of the logistics, all of the planning, and the execution of the planning. Scheduling of resources, when do we install a control? When do we get the DBA to help do that part of the work?