Managerial controls are going to effectively be administrative controls, they are normally implemented through policy, they are normally addressed by management through a policy statement or some sort of administrative guide that says, "Do this or do that." And so we often think of managerial or administrative controls in that fashion. And we want to be thinking about examples of each of these, and you may want to stop and just think for a second here, "Hey, do I have managerial controls in my world today? In my office, do we have or in my systems, do we have guidance, do we have policies, that from a managerial administrative perspective tell us to do certain things a certain way? Procedures for instance, could be considered managerial controls. Do we have technical controls? Like the ones we described, or operational controls like the ones we described", and chance could be if you stop and think about them, you'll find that you probably do. So, you want to be just thinking about those examples. Having a good working example that's unique to you, that you understand, that you know, that you're comfortable with, that you can trot out and in your mind quickly run through to validate the information that's being asked of you to validate the question, or to validate the assumptions, before you make an answer to a question is definitely going to be something that you want to be able to do time and again both on the exam and in the real world. When you're talking with somebody, and you're sitting in a meeting, and they ask you about what kind of control mechanisms would be appropriate given this situation, you want to have a good working knowledge in your mind and quickly run through a scenario and say, "Well, in this scenario given this this this and this, I would opt for these kinds of controls, and here's two examples of what I mean." That will be a great conversation to have, and a great way to help in understanding or create an understanding and develop an understanding within the context of that conversation about what kind of controls would be appropriate. Same thing if you're asked a question on the exam. Be able to walk through the scenario. You may see scenario questions on the exam. By the way, not just multiple choice anymore, but we use scenario-based questions, we use drag and drop and Hot Spot questions, we use all sorts of question types today. So, you may see this information presented within the case study of a scenario, and you may have to then ask some questions or answer some questions about facts that are there, and those facts may lead you to pick a certain control type and use a certain example of a certain control type to implement a solution. You should be prepared to be able to do that effectively as you walk through the scenario. So, understanding the way in which this information is going to flow is very important for your success on the exam. And I want to encourage you to think about that and be aware of that as you go through the material. Security policies, standards, guidelines, and procedures, are all very important, and we need to understand the differences from a definition perspective as to what they are, and also as we implement them, we need to understand that they're implemented, and as a result, are used to manage and achieve different results, and we want to understand what they do as well. Security policies are formal written documents as you can see on the screen in front of you. They are high level strategic statements of intent. We tend to have usage policies, e-mail policies, internet browsing policies, mobile device policies, we have all sorts of policies in a typical environment, and those policies tend to be very high level, one or two pages at most, maybe three or four, they're not very big typically, and they tend to specify at a very broad level the kinds of expectations that management is setting for this particular interaction whatever it may be, surfing the web, using a mobile device, using the company phone system to transact business, whatever it may be, appropriate usage, things of that nature. When we get into standards, and we talk about standards, and we'll talk about standards guidelines and procedures here in the next couple of minutes, but we'll get into standards and we'll talk about the different approaches that we use, and guidelines, different approaches that we use, we're to talk about more specificity. And the idea is we go from very broad policies like the ones you see on the screen in front of you, and I was just talking about that are high level statements of what we expect users to do, provide some general guidance and general thoughts to very specific implementation rules and restrictions that we use to narrowly define what behavior will actually happen when. And this is the continuum that we go through from policy, through standards and guidelines, to procedures. So, just be aware of that as we're going through our conversation. We have all sorts of examples of policies as you can see that are subject-specific as we call them out on the screen in front of you, and you may have one or more of these in your world, you may have lots of these and you may have a whole bunch more that are not on the screen. Not an exhaustive list by any means, simply a sampling of items that may appear in many common organizations today. The things that typically make up a policy and you can see there are elements that we often will refer to are on the screen in front of you. We tend to have an objective and a policy statement. What's the goal of the policy? Is the objective, policy statements or high level summary, almost like an executive summary, couple of sentences typically as to what the policy is going to do. Applicability, who does the policy apply to? How do we enforce the policy? What are the mechanisms we will use? What are the roles and responsibilities that are necessary to run the policy, and to interact with it? Who's a user? Who's a manager? Who's an owner? things of that nature, and then, by way of review, ultimately just kind of wrapping up and summarizing what will take place in there. There are many places to get policies and policy templates. You may not necessarily know how to write one from scratch, but you may need to go out and find one or more of them. There are several places online to look for them. Sans.org, S A N S dot org. Sans.org has a great policy documentation library that you should go out and think about using, they have free templates that are available for probably close to 30 or more policy types that you can download in either word or PDF format for instance, and can freely republish and reuse, so that may be one place to go. Just do a quick Google search you'll find all sorts of sample policies that you can download and use as well. You may ask peers and colleagues and friends, "Hey, what kind of policy do you have? And can you share that with me? Can I see a sample so I can understand what it does?" Lots of ways to find this information in other words
