[MUSIC] During the previous weeks, we have introduced how cryptography, security protocols, and system security techniques allow us to build more secure systems and networks. But is that all we require to secure an organization. Are technical systems enough to ensure that the organization and data are going to be secure? Most of the times, when we think about security, we think about the technologies we need to use for providing security for information, either at rest or in transit, or other information systems, such as computers and networks. Unfortunately, security is not only about the technical means to achieve it, but also about the processes and people involved in those processes. It doesn't matter if we encrypt some data using the most secure encryption algorithm if we use a very simple password. In the same sense, it doesn't matter if your organization buys the most expensive and advanced security software if the employees can uninstall it from their computers at their will. Security management is concerned with how to use the security technologies in the real world to protect organizational assets. This means putting together the technical aspects of security, processes, and people so organizations can achieve their business goals. Security management is not only deciding which security technology to use. Security controls need to be configured, integrated into the organization, monitored, updated, and replaced as necessary. Security technology that is not properly used won't help to protect organization assets. Security management covers all aspects that help an organization to preserve the three famous security goals. These are, as you probably already know, confidentiality, integrity, and availability. In the context of security management, confidentiality means that information assets should only be read by those users that are entitled to do so. Integrity is about preventing users modifying organizational assets when they do not have the necessary authorization. Finally, availability means that organization assets can be accessed by authorized users when needed. Security management also provides accountability and auditability, and serves to put compliance to standards and regulations. In today's world, there are many ways in which the current regulations affect the controls we need to establish to protect information. For example, in European countries, data protection legislation requires all holders of personal identifiable information to protect it appropriately. Information security management involves staff management, too. In fact, a staff is typically the biggest security risk, and also the most important security control. Security management activities related to staff include initial vetting of new employees, security training, and awareness, among others. Security training is meant to encourage the staff to follow good security practices and follow the organization's security policies. Obviously, the success of these initiatives varies hugely and depends on the approach followed to train employees on security practices. Forcing employees to follow static online courses doesn't help employees realize the importance of security. However, executing simulated attacks generally increases the awareness of the employees and their involvement in security practices. Unfortunately, security management is not a silver bullet against security threats. At some point, these controls may fail as security incidents will happen. Security management processes also include incident management procedures to ensure that the organization can keep doing business and the incident impact is kept to a minimum. Security management allows us to use security technologies effectively. It provides us with the tools to optimize the way people interact with technology so the risks that arise from these interactions are mitigated. Security management processes help us ensure that confidentiality, integrity, and availability of organizational assets are met. It also serves to ensure regulatory compliance, and recovery from security incidents. Implementing security management processes won't save us, unfortunately, from security incidents. But it will, for sure, reduce them and help organizations achieve their security goals. [MUSIC]
