Hello and welcome back. We're here to discuss the security operations and administration area of the common body of knowledge for the SSCP in the security operations that administrations area. We're going to be focusing on the following objectives. You can see them on the screen in front of you. We have a nice laundry list here. Let's go through them. Defining the code of ethics, (ISC)2 has a code of ethics that all practitioners, all professionals, all certified individuals under any of the certifications. (ISC)2 has and market must subscribe to and commit to adhering and upholding as they continue the professional practice. We'll take a look at what that is. We'll talk about it. I'll take you to the website real quick show you where you can find that. And make sure you're comfortable with it as well as understanding what it implies. We'll describe the concepts of security and how they relate to our discussion. What are the security controls that we may be using to implement security operations and how do we document those and how do we actually use those on a regular basis. We'll take a look at asset management. What is it? How do we describe it? What does it mean to us to have an asset management program and process and place? How we implement compliance controls? How we measure them? Make sure that they are operating appropriately. How we assess those same compliance controls once we've implemented them. Describing change management process. What is change management? Why is it important? We have to make sure we understand that. Contribute to the security awareness training program. Making sure we know what that is and obviously the value and importance of security awareness, can't be understated or in any way really made light of. It's such an important thing. It is such a critical thing to what we do as security professionals and practitioners. It is so important for what ultimately you as SSCP will need to do. You're going to be on the front lines making sure that individual activities are monitored that you understand the implications of decisions being made and that you execute the proper procedures, proper processes and proper policies, to manage through the day to day activities of securing a network. Security awareness is going to become a critical element in that tool belt that you wear and the processes that you use, to broaden the impact of the good decisions, good management, capabilities and processes you follow and you bring to bear, for all the users that use the systems that you support and maintain. Without security awareness training, all the good work you do in other words is basically going to be almost impossible to validate and almost impossible for us to put the appropriate value on, because it's going to be so difficult for us to ensure that you're doing the right things for the right reasons at the right time. Because all of the stuff that users are going to do that's going to cause us to have to spend a lot of time being reactive and putting out fires and dealing with issues, is going to get in the way of that. And so security awareness training is going to be crucial to our success. Because it allows us to share with those users, the users of our systems, the practices, the procedures, the thought processes, the context as we've talked about in prior discussions. That gives them the understanding of why it is so critical to do certain things a certain way. And while they may not like it though least understand the reasons behind having to do it. And hopefully as a result, operate accordingly. And then of course, we'll talk about how we contribute to physical security operations and the kind of control mechanisms, procedures, processes and also physical elements so we put in place, to achieve physical security. Such as turn styles, man traps and things of that nature, secure lockout cards, the card swipes on elevators, so the elevators are only available to certain floors in the building based on authorization for users to interact with the system. Using a guard at a desk in the front lobby, to ensure that people come in, they are being questioned about what they're there to do and being directed, managed and told where to go under certain circumstances. Using closed circuit TV, CCTV systems, to be able to keep track of what users are doing and observe them. These are all elements of physical security operations. And we'll discuss those and define what they are as we go. Let's begin with the discussion of the code of ethics and turn our attention understanding complying with the code of ethics. And we'll begin by taking a look at the code of ethics for (ISC)2. So, you could see on the screen, along with what organizational code of ethics may represent broader and more distinct within your individual businesses. The ISC code of ethics or (ISC)2 code of ethics, is going to be really the foundational element for any security professional, any security practitioner today that is certified in the (ISC)2 certification family. There are many, many certifications available to you as a authorized professional, as you gain in your stature, you gain in your experience and ultimately over time add one or more credentials to your resume. You may be as a SSCP today or at some point in the near future after going through this material but you may aspire to be a CISSP or a Cloud Certified Security Professional or any of the other certifications we may have around health care or some other topical areas we touch on. Whatever those may be, they all focus on the same code of ethics and it's probably a good idea for us to take a quick look at the code of ethics and understand what it is and how it is set up. So it's just a quick field trip if you will. When we take a look out on the web at the code of ethics, you could see on the screen in front of you. I've got the home page at the (ISC)2 website app. So, www.isc2.org/ethics is where you will find this information and the code of ethics is listed here. The code is listed, Code of Ethics Preamble and the Canons are listed here as well. And we have general information about the code of ethics available on the website, because all certified professionals that hold any credential are going to have to attest to the code of ethics and sign away an affidavit as part of your application to get certified that stipulates you have ready, you understand it and you will do your best to uphold it as part of your professional conduct and you will never knowingly to do anything that would violate or put you on the wrong side of that code of ethics. So it is important for you, as a practitioner, to understand the code of ethics. You can see here protect society, the commonwealth and the infrastructure, act honorably, justly, honestly, responsibly and legally at all times. In other words follow the law. Provide diligent and competent service to principals, advance to protect the profession. Want to make sure we also know that we should put the safety and well-being of life above everything else. So, obviously making sure that we always safeguard people and safeguard those individuals that may need our help before we worry about the safety of an information system. Is something that know clearly in our mind should be something that we already know and already think about but it is part of the code of ethics as well. Place life safety above everything else. And so we should as potential candidates and or qualified practitioners once you pass your exams and are waiting to be officially recognized and certified. Be aware of the code of ethics. It is important for you to have knowledge of it. You are always asked at least one question on an exam about the code of ethics and some form. Not telling you anything that's not common knowledge. We expect you to know it, should definitely have a knowledge of it, should read the code of ethics quickly. You saw its less than a page on the website. Make sure you are familiar with the tenets and make sure you specifically understand what the process will be to use the code of ethics and uphold it, by signing the waiver as I said, the affidavit specifically, as you actually apply in the real world to make sure that you are qualified to seek the SSCP certification. Our organisations who have their own code of ethics, obviously important to think about that, your own organizations that you are involved with may, well, have your own code of ethics as well. Generically, a code of ethics is defined as you could see on the screen, as a contract between professionals. So we want to think about that. Keep that in mind and be aware of that. We want to make sure that as we think about what the code of ethics is and we understand it. We are aware of the fact that, when we have an agreement between two parties in effect, the professionals in the organization and the organization itself, to act a certain way to stipulate a certain kind of behavior to focus on that. And then as you on board typically you are hired, you go through a lot of orientation, a lot of training, variety things. But ultimately, you also are typically given a new hire handbook or some sort of policy book that tells new hires and employees how to operate, what to do and you sign for that. Typically stipulating that you've accepted it, you've read it, you're agreeing to be bound by whatever policies and conduct rules are stipulated within it. And that is that contract between professionals that we are speaking about. We want to make sure we're aware of that. As individuals that operate inside of the private or public sector today, we all have to be bound by certain levels of acceptable behavior. We all have to be bound by certain codes of conduct and it's not inappropriate to remind everybody of that and to focus our attention on that. And that's really all we're doing is making sure we're thinking about that in this conversation. When we think about applying ethical principles, we're thinking about, making sure that people act honestly, they act with integrity as we've talked about. We're thinking about informed consent, telling people what they have to do and make sure they're aware of it before we actually ask them to accept anything. That's obviously a good idea because having done that, we're disclosing fully what the expectations are. So it is a good idea to do that. Making sure that we understand that higher ethic in the worst case concept, where you're regardless of what's going on, we should I always have an ethical standard we hold people to and even if things are just not going well and things are not operating the way they should, we should always try to follow those ethical standards and principles, safeguard life, safeguard the data, keep the integrity and the confidentiality of the system in mind. All of the things we talk about, even in the absolute worst case it's important to be acting ethically and honestly. So I want to be thinking about these things in ethical principles may be applied. The general thought process and any system for any reason any length of time as we look and we operate is, things can go wrong, bad things happen. What separates us ultimately from bad actors is our ability as individuals as security professionals to focus on the fact that we have to act honorably. We have to act ethically. We have to act justifiably and correctly. And with the forethought in our minds all the time, that we're there to safeguard the integrity of the system, safeguard the information, the confidentiality of it, provide access to those authorized users and try to safeguard them and keep the bad people out. And that's really what our job is. We stand on the border and we protect the information integrity and confidentiality and availability of the systems that we are trusted with managing. It's our job in other words right, to make sure that those things happen. Irrespective of us having a bad day, irrespective of us deciding we'd rather be doing something else. This is what you sign up for. This is your job. This is what you do. So when we talk about acting ethically, when we focus on a code of ethics, when we talk about applying ethical principles, we're talking about ensuring that ultimately practitioners and managers and architects and all the people that are involved in creating and managing and maintaining secure systems and designing them, are doing the right thing interacting kind of in the right way, with the general statement, general process and general purpose in mind of safeguarding the users, the individuals in the system, as well as the data. And this is the overarching theme of what a code of ethics is usually all about typically implies, what the ISC code of ethics clearly implies and what applying and acting with ethical principles in the business is all about. Just make sure you remember that as e continue our conversations and please come back and join me in just a moment for our next discussion.
