- What is risk management?
- Managing change to a network
- Mitigating network threats
- Training users
- Denial of service and social engineering attacks
- Hardening devices
- Testing network security
- Network monitoring
- Security information and event management (SIEM) tools
Skill Level Beginner
- One of the things I love about the Network+ is that it's such a practical exam. I mean, it really challenges you on how to do certain things about networking. It's great. But there's one place where we kinda have to close the lid and talk a little bit. And that's when we get into the idea of what we call IT Risk Management. Now security's a big deal for networks, no one would argue that point. And, in fact, I'm pretty good at security. I can configure a router. I can set up firewalls. I can lock down your wireless networks. I can set up a VPN.
I'm good at that stuff. I'm a kind of a screwdriver tech that way. But for me, I don't think about security as an overall thing so I tend to react to problems. So if some threat comes in, I'm like, oh gosh, I gotta do something here. Or if something comes over that way, holy smoke, we gotta do it over here. So that's fine for a small operation like me but when you're talking about enterprise-level security, people can't afford to go down the way small networks like mine can. And that's why the world of IT Risk Management exists.
IT Risk Management is a school of thought. I mean you can get college degrees in IT Risk Management. Now luckily, we're not gonna go that deep here. For the Network+, we're just gonna touch on it a little bit. So I want to take a moment. We've got a number of videos after this one to get into it, but I want to give you a couple of overview ideas so that I want you to stop thinking about oh, what can I do in terms of security? But instead, think about how do we plan security? So when we talk about IT Risk Management, we use the word infrastructure. So we're talking about all of our networking, whatever that might be.
So our job is to secure our infrastructure from threats. Our goal is to mitigate, to make it as small as possible or stop dead, threats that are coming into my infrastructure. So when we're setting up a enterprise-level network, we hire people. Big organizations have Chief Security Architects, Chief Security Officers, they've got all kinds of people who specialize in developing the security we need. Now what's tricky here is that, because you and I are techs, you know, we wanna talk about how do we lock down routers? And, ooh, how do we lock down our wireless networks? And these are important things but when you're talking about IT Risk Management, these are people who sit in boardrooms and wear ties and they set up overview statements that define little guys like me, what we're supposed to do to set this up.
And they have some terms and I want to make sure we know them. First of all, in order to set up your security infrastructure, you've got to start with something. And so what we start with are things like laws. Here in the United States, we have HIPAA for healthcare, there's all kinds of laws out there. We have standards. Organizations like, here again in the United States, the National Institute of Standards, NIST. They set up rule sets that say these are the things one should do to secure your network. On top of that, we have best practices.
Microsoft will say, look, if you're using a Windows network, here are some things we do to provide security. So you take all this stuff from all over the world, even things, common sense, all kinds of stuff comes into play, and you pay really smart people a lot of money to generate what we call security policies. Security policies are documents. And they are documents that define how you will go about doing the security to your infrastructure for your organization. We'll go into this in a little bit more detail in later videos, but for right now, I want you to understand that we have these pieces of paper that say all kinds of stuff.
Acceptable use policy, ownership of equipment policy, password policies. And these are documents. And there could be hundreds of them in a single organization. Now, these documents, let's talk about password policy for a minute. A password policy would say something, an overview statement. It would say we will always use complex passwords. That's usually about all it says. So once you generate that policy, then what you generate are what we call security controls.
And security controls are the cornerstone of everything that is IT Risk Management. Now, a security control will be something that will say we will have all of our passwords on our Windows systems will use complex password rule sets. On our Linux systems, everything will be a minimum of eight characters using uppercase, lowercase and numbers. So whereas a security policy's kind of an overview statement, a security control defines more clearly what exactly that is.
Now once you have a security control in place, well, then you go down to actual what we call procedures. So a security procedure would be, when setting up a user in Windows on the domain, be sure to set the security policy for passwords to complex. So we've got three big pieces here I need you to be comfortable with. Number one are policies, which are gonna be printed documents or at least electronic documents that define overview statements. These generate security controls.
Now a security control can usually end up just living in an Excel spreadsheet or something like that. But the security controls define more clearly exactly how we're going to handle a particular policy. And then a procedure is exactly how do we do that security control? So these three pieces are important for understanding IT Risk Management. Now if you wanna get into more IT Risk Management, and you should, I strongly recommend CompTIA's Security+. It takes it a lot farther down from here.