Join Mike Meyers for an in-depth discussion in this video Risk management, part of CompTIA Network+ Exam Prep (N10-006) Part 7: Managing the Network.
- View Offline
- One of the things I love about the Network+ is that it's such a practical exam and it really challenges you on how to do certain things about networking. It's great, but there's one place where we kind of have to close the lid and talk a little bit. And that's when we get into the idea of what we call IT risk management. Now security's a big deal for networks. No one would argue that point. And in fact, I'm pretty good at security. I can configure a router, I can set up firewalls, I can lock down your wireless networks, I can set up a VPN, I'm good at that stuff.
I'm kind of a screwdriver tech that way. But for me, I don't think about security as an overall thing, so I tend to react to problems. So if some threat comes in, I'm like, oh gosh, I got to do something here. Or if something comes over that way, holy smoke, we got to do it over here. So that's fine for a small operation like me. But when you're talking about enterprise-level security, people can't afford to go down the way small networks like mine can. And that's why the world of IT risk management exists.
IT risk management is a school of thought. I mean, you can get college degrees in IT risk management. Now luckily we're not going to go that deep here. For the Network+, we're just going to touch on it a little bit. So I want to take a moment, we've got a number of videos after this one to get into it, but I want to give you a couple of overview ideas so that I want you to stop thinking about, oh, what can I do in terms of security, but instead, think about how do we plan security. So when we talk about IT risk management, we use the word infrastructure. So we're talking about all of our networking, whatever that might be.
So our job is to secure our infrastructure from threats. Our goal is to mitigate, to make it as small as possible or stop dead threats that are coming into my infrastructure. So when we're setting up a enterprise-level network, we hire people, big organizations have chief security architects, chief security officers, they've got all kinds of people who specialize in developing the security we need. Now what's tricky here is that because you and I are techs, you know, we want to talk about how do we lock down routers, and ooh, how do we lock down our wireless networks? And these are important things, but when you're talking about IT risk management, these are people who sit in board rooms and wear ties and they set up overview statements that define little guys like me what we're supposed to do to set this up, and they have some terms, and I want to make sure we know them.
First of all, in order to set up your security infrastructure, you've got to start with something. And so what we start with are things like laws. Here in the United States, we have HIPAA for healthcare. There's all kinds of laws out there. We have standards, organizations like, here again, in the United States, the National Institute of Standards, NIST. They set up rule sets that say these are the things one should do to secure your network. On top of that, we have best practices. Microsoft will say, look, if you're using a Windows network, here are some things we do to provide security.
So you take all this stuff from all over the world, even things common sense, all kinds of stuff comes into play, and you pay really smart people a lot of money to generate what we call security policies. Security policies are documents, and they are documents that define how you will go about doing the security to your infrastructure for your organization. We'll go into this in a little bit more detail in later videos, but for right now, I want you to understand that we have these pieces of paper that say all kinds of stuff.
Acceptable use policy, ownership of equipment policy, password policies, and these are documents. And there could be hundreds of them in a single organization. Now these documents, let's talk about password policy for a minute. A password policy would say something, an overview statement, it would say we will always use complex passwords. That's usually about all it says. So once you generate that policy, then what you generate are what we call security controls, and security controls are the cornerstone of everything that is IT risk management.
Now a security control will be something that will say, oh, we will have all of our passwords on our Windows systems will use complex password rule sets. On our Linux systems, everything will be a minimum of eight characters using uppercase, lowercase, and numbers. So whereas a security policy is kind of an overview statement, a security control defines more clearly what exactly that is. Now once you have a security control in place, well then, you go down to actual what we call procedures.
So a security procedure would be when setting up a user in Windows on the domain, be sure to set the security policy for passwords to complex. So we've got three big pieces here I need you to be comfortable with. Number one, our policies, which are going to be printed documents, or at least electronic documents, that define overview statements. These generate security controls. Now a security control can usually end up just living in like an Excel spreadsheet or something like that. But the security controls define more clearly exactly how we're going to handle a particular policy, and then a procedure is exactly how do we do that security control? So these three pieces are important for understanding IT risk management.
Now if you want to get into more IT risk management, and you should, I strongly recommend CompTIA's Security+. It takes it a lot farther down from here.
We are now a CompTIA Content Publishing Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.