[MUSIC] Taking what we have talked about so far, we can now begin to develop an information security strategy. In order to construct this information security strategy, we need to include several things. First of all, what are the security objectives that we are trying to achieve? And what are the different tools and techniques that we can use in order to develop that strategy? What goes into that? What are our resources? What are our constraints and that will help us develop a roadmap for this information security strategy. Resources cover a number of things, policies, standards, procedures, guidelines, the architecture. Our existing controls administrative, physical, and technical any of the countermeasures and safeguards we have in, what we're doing for defense in depth or what are called layered technology,. All of these resources, people, the way the organization is structured, different roles and responsibilities, how well the people are trained, what skill sets they have, what our current security awareness and training program looks like what the previous audits have shown are we in compliance? What are we doing to enforce compliance threats assessments, threat modeling, vulnerability assessment, that business impact analysis that we talked about earlier. Also our risk assessment or risk analysis. Now one of the things that we didn't mention before, is the business impact analysis also includes resource dependencies. So we look at that we look at that third party service providers that we are utilizing and where within the organization we might get other organizational support, our assurance, what are our physical facilities, how do they contribute? What do they have in place for environmental security? From a constraint point of view, we may be constrained by the law, by the physical space that's available, by corporate or culture organizational ethics. By the culture and it could be the culture of the country that we're in, we're always constrained by money. Cost always plays into it. And very rarely do we have enough people to do everything that we want. You might find yourself in an organizational structure where they are a risk. Taking organization and if you're in a risk taking organization, it becomes very difficult to justify spending money for risks that management is willing to accept the odds. Opposite is true if you are in a risk averse organizational structure, money seems to be readily available for anything that you want to do. Resources of all types are constraints as our capability either system capability or people's capabilities. Time is an issue with the organizations risk appetite and risk tolerance are are also constraints.
