[MUSIC] Let's take it quick look now at the information security strategy overview. The strategy is the plan to achieve a particular objective, in this case information security. So the first question is, where am I, current state. Where do I need to get to, future state. And how do I bridge that gap between where I am and where I want to be? Of course again, the overall objective is to achieve that desired state. And that is defined by a business case and expressing the security attributes within that business case. Senior management defines the business strategy, which leads to business objectives. The steering committee and executive management define the risk management information security strategy, which gives us our security attributes. And our jobs as CISOs or CISOMs, along with the steering committee is to get put together a security action plan with policy standards procedures, security baselines and guidelines. Which make up our security program. Then implement that program and then monitor report on the effectiveness of the program to make sure that we are aligned with the business. What goes into this process? Well, the inputs are just there. What's the current security state, where are we? What are the business requirements? What does the risk assessment and business impact analysis show us? And are there any regulatory requirements? We have to understand also, what the prevalent legal requirements are? For example, SOX, HIPAA, GLBA or FISMA. We have to know what framework you're using, like COSO. What are the control objectives may be from COBIT or from ITIL, which is ISO 27,000 or the capability maturity model integrated. We also need to know what controls we're going to be putting in place. Whether those controls are from ISO 27002 or whether they are from the NIST ASP 800-53 document. What we look at, when we look at the framework, and what you're looking at, is a conceptual framework. The enterprise system architecture if you would. So from the contextual level, what drives the business? And what are the critical success factors for the business? The business drivers has to be supported by assets. And the critical success factors are going to be impacted by risk. And then we look at the critical business processes and the different models, when, how, who and where. And we look at things like criticality, interdependencies, responsibilities and the logistics, in order to put together both a time model and a trust model. Logistics is going to help focus that trust model as well as develop a domain model. Those four along with the asset attribute profile and the risk control objectives are what gives us our security strategy. What are some of the things that we have to be aware of? Overconfidence, optimism, anchoring, the status quo, everything's fine now, why do I need to change anything? Mental accounting, the herding instinct, well ABCs corporation is doing this we should do it too. A false sense of security or false consensus, confirmation bias, bias basically assimilated, evaluated or groupthink all of those need to be avoided. [SOUND]
