April 28, 2025 • 49 mins
Ever wonder why organizations with robust cybersecurity teams still fall victim to devastating attacks? The answer often lies not in fancy technology but in something far more fundamental: documentation.
In this eye-opening episode, Shon Gerber takes listeners into the critical world of cybersecurity documentation hierarchy, revealing how properly structured policies, standards, procedures, and guidelines form an organization's first and most important line of defense against threats.
The stakes couldn't be higher. As Shon reveals, cybercriminals stole a record-breaking $6.6 billion from US entities last year - a shocking 33% increase from the previous year. Business Email Compromise alone accounted for $2.7 billion in losses, while individuals over 60 remain the most vulnerable demographic.
What separates organizations that survive these threats from those that don't? Proper documentation that actually works rather than gathering digital dust. Shon breaks down the hierarchical relationship between different types of security documentation, providing real-world examples from healthcare and financial institutions to illustrate how these documents should build upon each other to create comprehensive protection.
You'll learn why policies should represent management intent, standards should specify requirements, procedures should provide step-by-step guidance, and guidelines should offer flexibility - all while avoiding common pitfalls that render documentation useless. Shon provides practical advice on creating documentation that's clear, accessible, and actually used rather than just created to appease auditors.
Whether you're preparing for the CISSP exam or working to strengthen your organization's security posture, this episode provides invaluable insights into creating documentation that transforms from a bureaucratic burden into powerful protection. Subscribe to CISSP Cyber Training for more expert guidance on mastering cybersecurity essentials and advancing your career in the field.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:26):
All right, let's get started.
Hey y'all, sean Gerber, withCISSP, cyber Training, and hope
you all are having a beautifullyblessed day today.
Yeah, today we are going to betalking about Domain 1 and
Domain 1.7, where we're going tobe dealing with policies,
standards, procedures andguidelines Riveting.
It's going to be amazinglyriveting, I guarantee you,
because policies and proceduresare always super incredibly
(00:49):
riveting I can't think of theright word but enticing Some
other big adjective that youcould possibly use.
But, that being said, before weget started, I wanted to pull
up an article, and I first gotstuck on an article that I was
about ready to just throw up inmy mouth.
But obviously this Peteeteheggseth scans uh signal scandal
issue.
This is in a wired magazine.
I started off with this andthought, oh yeah, okay, my gosh.
(01:12):
I mean, you got to know there's, there are smart people
somewhere in dc and you're going.
What are you people thinking?
and I know, half of the timewhen you're dealing with news,
uh, the truth is somewhere inthe middle.
But this was like just kind ofmaking my my boil until I was
scrolling down and then Idecided, as I'm scrolling
through the pages, then I go, oh, what is this bullet, you know?
(01:32):
Obviously it's a little bit ofclickbait for me, which is great
because this came up, which ismuch more enticing, related to
cyber criminals, stolerecord-breaking 6.6 billion from
US entities.
So, hey, I pulled that one upand that was actually very, very
interesting.
So this came out of the FBI'sInternet Crime Compliance Center
, or IC3, and we've all talkedabout them in various podcasts
(01:55):
that we've had within the CISSP,cyber Training.
But one of the impacts that I,when I read this article, I was
like just, I mean, as you readthese articles, you're not
shocked, right, but you areshocked, you're just stunned at
the size and scope of all ofthis.
Well, what they basically saidis that in 2024, there was a 33%
increase right In losses from2023.
(02:20):
So you're talking a 30, that'sa huge number.
I mean, we're not even talking.
In my business, you're happy tomake 12% of your margin, right?
If you make 12%, you're makingmoney you're doing well, but
when you're talking cybercriminals, they had a 33%
increase compared to what theyhad in 2023.
So again, I gotta make sure Iget my numbers right 2024 was a
(02:41):
33% increase from 2023.
So obviously, some of the keypoints of this article which you
guys can go check out and Ithink you'll, you'll probably
enjoy, but some key pointsaround this are phishing,
spoofing, becs you know your 10standard business email
compromises, ransomware and soforth.
But just to kind of throw alittle bit of you know idea
(03:02):
around, what's all happeninghere is the investment fraud.
So this is involvingcryptocurrency.
They had the greatest financialdamage, which was totaling
around $6.57 billion in lastyear.
So what it comes down to isthat people are going hey, I
would like to order, I want toget in crypto and I also want to
(03:23):
get into cyber.
So, hey, let's do that, let'sdo this, and as they do it, what
ends up happening is they givetheir money to these people who
really don't that.
They have no plan on doing anysort of investments.
So it's very telling.
The other part of that wasinteresting is that individuals
over 60 were the most targeteddemographic and thus the highest
(03:43):
financial losses.
What does that mean?
Well, I'm fast approaching 60.
So what are people doing?
They're going.
Well, maybe I don't have enoughin my retirement account to be
able to retire.
And so what do they do?
Well, hey, crypto's on fire,let's go.
I'll do that.
Let's invest my money.
Whatever little money I haveleft, I'm going to invest it in
this crypto stuff.
(04:03):
And what ends up happening?
Yeah, not so good.
They end up losing it.
So that is really crazy.
They also made a comment thatcyber-enabled fraud accounted
for nearly 83% of all lossesreported to IAC3 in 2024.
So that cyber-related stuff isa monster.
So you all, as you're studyingfor your cissp, you guys are the
(04:26):
front line and helping peopleget deal with all these issues.
Now, if you're in a business,one of the things that I think
is is telling and this issomething that you can't really
put um, any sort of of controlin place other than training and
awareness as it relates tobusiness email compromises.
So now, business emailcompromise they talked about in
this article was around $2.7billion.
(04:48):
So if you teach your executivesand you teach your leadership
related to how to handlebusiness email compromises where
someone gets in the middle ofan email and the email chain and
they act like somebody elsesaying hey, please wire some
money to XYZ.
Happens to supply chain,happens to main CEOs, if you can
(05:08):
get into that supply or intothat group.
So where you are training yourCEOs, your senior leaders, on
what to look out for, thisnumber dramatically drops.
There isn't much you can put inplace.
I mean, there's probably somesort of controls out there, a
little bit.
You have an easy button, youmash a button and it hopefully
fixes your BEC problem.
There are some of that withsome of your filters that can
(05:30):
potentially reduce some of theamount of this, but there's
really not much more than justeducation and awareness to train
your CEOs what to watch out forin this space.
That's $2.7 billion.
That's a lot of zeros.
So again, I'm just shocked,just shocked totally.
I mean, we I know these numberswere there, we all knew these
(05:51):
numbers were there.
It's just the fact that it'sjust blowing my mind the fact
that there's this much money andthen there's things in here
that are happening to people.
They're losing it and theydon't know what's happening.
They don't, they won't have anyclue.
So again, you, as cybercybersecurity professionals
studying for your CISSP, it isimperative, absolutely
imperative, that you help thesepeople understand the risk to
(06:14):
their organization.
And again, what it does withyou is it makes you a much
better security person withinyour organization.
It also makes you much moremarketable, and it's the right
thing to do, because thesepeople are targeting people all
the time.
I had an example of that with mejust recently, where there's
some things in our my wife'sbusiness that we were working on
and I had some people phonecall me trying to get me to go
(06:36):
through this process, and Iactually talked to him on the
phone because I had submittedfor this type of thing with the
IRS, and I got somebody calledme back and I'm like, really,
this is interesting.
And I talked to the person onthe phone and the person acted
like they knew my account.
They knew all these things.
I'm going, this is just seemsfishy, something doesn't seem
right here, and so what ended uphappening is then they sent me
(06:59):
a text and said, hey, just putin your banking information.
I'm like, oh oh, this is so, sofishy, so bad.
And so the point came down tois is that anybody can be
tricked, and they have callcenters specifically designed
for these people.
So you got to watch out for it.
There's no one is immune to it,but you as a security
professional.
It's up to you to help them inthis entire process, help your
(07:21):
people, help your peeps, helpyour company and protect them
and protect you in this overallcyber world that we live in.
Okay, let's go ahead and getstarted into what we're going to
talk about today.
Okay, so this is domain 1.7develop, document and implement
security policies and standards,procedures and guidelines.
So I'm dealing with this rightnow in a company that I'm
(07:42):
working for as a contractor andit's's very, very interesting.
You know, I will tell you thatunderstanding the taking, the
CISSP, is one thing taking theexam but understanding how it's
being deployed through anorganization is another.
And working through when I wasin manufacturing, I had, we had
a way we did business right, sothese made sense.
But now I'm working with a muchdifferent organization and so
(08:03):
because of that there's, I havea different perspective that I
did not have before in themanufacturing space.
So I can go tell you howmanufacturing did it, I can tell
you how the book tells you todo it, and, again, plenty of
years of going through this.
But now I have anotherperspective with the financial
institution.
That is just a different animal, and then I also did it with a
healthcare organization as well.
So very, very, very different.
(08:25):
So here's some key concepts.
We're going to talk aboutPolicies and standards.
These are used synonymously butthey're not the same.
You'll hear this going I'musing a policy, I'm creating
this policy, and then they turnaround and use language for a
standard.
They're not the same, but theykind of people blend the words
together.
Also, understanding the termsis an important part of
(08:47):
cybersecurity and compliance.
It's really important.
Depending on the organizationyou're in, it's more important
than others.
Manufacturing it was important.
We had requirements around it,but it was like, okay, it's
there, but it wasn't to thelevel it is.
In the healthcare industry itisn't the same as it is in the
financial industry Verydifferent, but the concepts are
the same.
(09:08):
Confusion around naming againcan be counterproductive.
I've seen this Now I'll be anexample that I was talking to a
financial company and they madethis term tranche.
It's in this tranche.
I'm like what the heck is atranche?
This is what we talk about onCISSP, cyber Training.
Break it down to the thirdgrade level.
You want to have the ability tocommunicate with people and
understand what that is.
So my wife, she's laughingBrilliant.
(09:35):
It was a brilliant joke aboutit.
A tranche is a French trench.
It's a tranche.
No, it's not a French trench,it's actually like a phase.
So the financial industry usedthat term, tranche, I guess.
So now you know, naming can bevery confusing, so you need to
make sure that you use a similarname between everything.
Break it down.
People may be very they arevery smart, but they may use big
words and sometimes those bigwords they assume that everybody
(09:57):
understands what the big wordsmean.
I'm a pig farmer by trade.
I don't know big words andtherefore I don't know big words
.
I ask questions because I'm notvery smart.
Right?
The point is that if I can'tunderstand it, I guarantee you
people in the room can'tunderstand it as well.
Ensure the best cybersecuritypractices and plans.
They all need to behierarchical.
You've got to have them in ahierarchical plan.
(10:19):
We'll go through those in justa minute and they must build
upon each other.
They build and this is afoundational piece of any
organization is understandingyour policies, your procedures,
your guidelines and so forthCybersecurity and data
protection.
They again must focus on allaspects of the business.
You can't just focus on doingthe thing of policies and
procedures for the sake of doingpolicies and procedures.
(10:40):
They've got to focus on any ordifferent aspects of your
company and where you make yourmoney.
Now, as you deal with securitypolicy, these are high-level
statement of management intent,those.
What is the management plan todo?
And we're gonna get into somemore details around each of
these, but it establishes therequirements to guide your
decisions, achieve your outcomes.
What is the overall plan fromthe CEO or the board of
(11:02):
directors?
It is the overarching plan.
So cybersecurity will have itsown policy.
Now, typically, that is acybersecurity policy for your
company.
You wouldn't have a typicallythis doesn't mean you won't, but
in many cases you wouldn't havea very specific like a PAM
policy where you have yourPrivileged Access Management
policy.
(11:22):
Now, you may have a standard orpotentially some procedures
around PAM, but you wouldn'thave a PAM policy per se in most
companies.
Some companies who are dealingwith this specifically may have
that for their needs, but it'ssomething that's formally
established by the CEO or theboard of directors.
Now, as a CISO, I would go andmake this for my CEO or I would
(11:43):
make it for my CIO and theywould then be the ones that
would write off on the policy.
Now, depending on the size ofthe organization, it could come
from me as well.
In our organization previouslife, they brought it all the
way up to the CEO or to the CIOon any of these specific
policies.
They did not come from me,because it would.
In some respects it would bekind of a if the CISO is giving
(12:05):
it out.
It's now just a security thing.
It's not actually acompany-wide thing.
So you wanted to get it up highenough where people would
respect it to be a company-widepolicy.
Now it defines a specific scopeof an organization and it
implores clear and concisedirections.
What does that look?
But it is big.
It's big from an overall viewstandpoint.
(12:26):
It defines the importance ofsecurity and the importance of
protecting company assets.
So again, you want to call allthat out why it's important for
an employee to be able to dothis, why do they have to be
aware of security?
Why do they have to manage it.
And these exceptions to thepolicies do happen, just like
everything we talk about in thisworld.
There are exceptions.
(12:46):
However, they can be very rareand if you want to, you want to
make sure that?
Well, not, if you want to, youreally need to document any
exceptions that are added tothis policy.
So if you have a specificsituation where in your policy,
everybody must have a passwordof 55 characters, right, let's
(13:06):
just say that's the case.
They must have complexpasswords and with an
expectation that it's less than,or it has to be more than, 12
characters.
If you have a situation whereyou have it, allow eight
characters, there would have tobe an exception, and there might
be some equipment that can onlyhave eight characters.
So therefore, that exceptionwould need to be documented.
Another one I have as an exampleon the slide is around formal
policy around scanning systemsIn OT or operational technology
(13:29):
networks.
Scanning can be a big problem.
It can actually cause them toroll over and die, and so,
because of that, you would wantto have some sort of exception
to that rule.
So, again, if it isn't granted,you must make sure you have a
compensating control should beimplemented, or I mean you want
to.
Should is a key term.
You don't have to have it, butyou need to document the fact
(13:52):
that if you're going to allow anexception, what is the
compensating control?
Or are you just going to acceptthe risk for that situation?
So there's types of securitypolicies.
You have organizationalsecurity policy, you have
issue-specific policies and thenyou have advisories.
Now your organizationalpolicies would be a specific
business use case or need andthey can vary between business
(14:12):
units.
They can vary between financial, healthcare, manufacturing.
They all can be in differentplaces.
Now you may have a veryspecific policy, such as issue
where you are sending moneyoutside your organization, ie
the business email compromisewhich we talked about.
You have a policy that says ifwe're going to be sending money
outside of our company, therehave to be two people agree to
(14:33):
this, and one must be the CEO orthe financial person.
The next person must be the CFOand they both must be in sign
using DocuSign to make thishappen.
You can't just say, hey, billyBob called up and said, yo, joe,
please send the money.
Now again, you can do that, butif you have some compensating
controls in place, then you needto make.
(14:54):
Well, you need to have somecompensating controls, other
than calling up Joe and saying,hey, send half a million dollars
to XYZ, but just a bad idea,because in today's world,
especially now with ai and ml,uh, we, you, you can jack up
people's voices to the pointwhere they don't even know who
it is, and I was.
I mentioned this once before inin our podcast.
There was a priest that wasdoing exorcisms and this is
(15:17):
catholic priest I think it wascatholic and he was mentioning
how people.
Now he has changed his, his, uh, overall scheme on how he's
helping people, because there'sfolks that are scamming people
out of money because of the factthat they've used his voice in
doing this.
So it's out there.
You guys have got to beprepared for that.
Also, there's advisory ones,obviously, around acceptable use
(15:40):
activities and then USB usage.
All of those pieces are a partof your security policy and all
of those can be deployed withinyour organization.
So what are the hierarchicalaspects of policies to
procedures?
So how this works is that youlet's just start.
You'll see on the slide there'slike a pyramid looking thing.
Now we're going to start at thebottom, the most basic,
elemental part, where thatdefines the practices.
(16:01):
This is the things that peopleturn knobs, they push buttons,
they do all of these differentpieces and that is a procedure.
Now this is a prescribed set ofimplementation standards and
guidelines.
This helps all of these thingsbuild upon each other.
Now this is understood in manyareas of what they call a SOP or
a Standard Operating ProcedureSOP.
These are typically astep-by-step process in making
(16:26):
these things happen.
So if you go, if you have likea SOC and you have a way that
you would go through and checkto make sure that you have your
spam filters in place, it's astep-by-step checklist that
would walk you through that.
I'm doing a reconnect SOP forsomebody right now playbook kind
of thing and that would be anSOP.
That would be something thatwould be set up and you would go
(16:48):
from how you're going to turnoff a SASP or a service that you
may have.
How are you going to turn itback on.
Those are different types ofSOPs.
Now, military regulatory bodieswill commonly use SOPs, but
it's not just them.
It depends upon theorganization and how they will
use them.
But just think of them as themost elemental piece of your
organization.
It's the step-by-step checklistthat you would occur.
(17:09):
Then the next thing is and oneof the points I want to have is
your hardware, software, how tomake changes.
Again, it's a living document.
That's the other part to thinkabout.
It is a living document withinyour company and it will be
subject to change routinely.
But you do need to make sure,as we get into the documentation
piece of this, you do haverevision control based on this.
(17:30):
They can be very onerous tocreate and maintain, depending
upon where you put them.
I will give you an exampleKeeping them on a SharePoint
site in a PDF form and thenhaving a Word document.
Where you have a Word document,you then make it into a PDF.
You then publish the PDF.
That's very onerous.
You may want those proceduresin maybe something a little bit
(17:51):
more fluid, like maybe just aweb page per se.
Right, you have a web page thathas numerous types of
procedures on it and they clickto it.
The downside with doing that is, if your web page goes down, do
you have access to actualphysical documents that you can
do your procedures on?
Ran out of this in the OT spaceas well.
They actually had books, sothey had it on a web page.
I'm trying to think of the bestway.
(18:12):
But you could have, like aSharePoint site which gives you
a web page.
You could have it on a web page, but they also had printed off
versions of each of theseprocedures because, in the event
that the web goes down, youneed a procedure to be able to
look at and be able to do whatyou need to do.
So, again, they can be onerous.
They do change a lot and you doneed to have a structure, a
life cycle in place to make surethat as you're building these
(18:32):
things, you have a way to putrevisions and also publish new
revisions.
Now a guideline is considered isreally additional information
and guidance.
It's routinely not consideredas a mandatory practice.
You may get these into job aids, they may be some other thing.
That is just helping you giveyou a little bit more context
versus a checklist that youwould have with a procedure.
(18:54):
Now they recommend these onanytime you're implementing a
standard or baseline.
You'd have potentially aguideline to talk about that or
a guideline to talk about theprocedure itself.
Specifically, they, if you lookat the pyramid, they kind of
the next step in a procedure,but they may flow between the
standard and the controlobjectives, depending upon how
you want to detail this out withthe context.
(19:15):
Again, they're more designedfor users and other security
professionals just to understandthe bigger, broader picture of
everything there.
Now the standard this is wherethe organization will set
specific requirements.
This is designed tospecifically deal with control
objectives and we'll kind oftalk about what is a control
objective here in a minute.
Typically they're tactical innature and they specify methods
(19:39):
to meet the specific control.
So you'll have controlobjectives in many cases built
into the standard and how you'regoing to meet them.
So some of the typicaldocuments you'll have is you'll
have a policy, you'll have astandard and then you'll have a
procedure or a playbook and thecontrol objectives will sit
inside the standard.
The guidelines will kind ofhelp maybe give you context
around the standard or on theprocedures, but those are just
(20:02):
kind of the way it's set up.
Again, it depends upon yourorganization and how they play
it out, but typically it'spolicy, standard, procedures.
Now the control objectives.
These design the detail of thecontrol.
Specifically this defines theoutcome that was to be achieved
by implementing the control.
And you may have the fact thatMFA must be enabled in all
(20:24):
external communications.
That would be a control MFA,external communications.
That would be in place in yourstandard.
And so therefore, now it'sdefined that you must have a
multi-factor and you must havenow the control will be any
external communication would bedone with multi-factor, then you
now have to have the implementwill be any external
communication would be done withmulti-factor.
Then you now have to have toimplement.
What tools will you implementto manage that control, that
(20:46):
specific verbiage, that specificline?
And you guys are listening tothis, probably going oh my gosh,
this is so painful, and you'reright, it is.
And a lot of organizations willavoid this because it's painful
.
So what they do is they'll justgo.
We'll put a policy out there.
Everybody, just do your ownthing.
Watch our policy.
Don't do anything you shouldn'tdo.
Let's move, and that's fine,and that will work for a while
(21:09):
until it doesn't.
And then, when it doesn't,you're going to be not happy.
And the reason is is that goingto stop?
Is your policy going to stoppeople from not doing bad things
?
No, they're still going to doit.
Is your standard or guidelineor procedure is going to stop
people from doing bad things?
No, they're still going to doit.
However, if you don't have thisdocumented and now you go to,
basically and I've seen this,lived it where you now are going
(21:33):
to go and sue somebody becausethey stole your stuff, well, one
of the first things they'regoing to say, when you go to sue
them because they stole yourstuff?
Well, do you have thisdocumented in a policy or a
standard or a guideline or aprocedure?
Do you have this documentedanywhere?
No, well, if you don't, thenguess what?
You're probably out of luck.
So the point comes into is thatyou are going to have to deal
(21:54):
with this, whether you like itor not, especially if you're
dealing.
As we get become moreregulatory in nature, it's
definitely going to become abigger factor.
So don't put this off.
You need to do it, develop,develop the time and the energy
and the effort to make it happen.
Now, as we talk about policy,high level statement of
management's intent, what isyour overall plan from your
(22:14):
organization?
And it's divine, divine, divine.
Yeah, it could be divine fromgod, but no, it's not.
It's designed to be implementedby all parts of your business
or organization.
So, again, you want it to flowthrough your entire company and
that policy is the overarchingpiece of this.
So again, just kind of a realquick synopsis of them and the
importance of them policies.
(22:34):
They establish authority, theycommunicate management
commitment and they define thescope.
This is the basis foraccountability within your
company Standards.
They ensure uniformity.
They help reduce the complexityof your organization.
And then the interoperabilitybig $10 word.
Again, it's not third gradelevel big inoperability, see, I
can't even say it, it's just thecommunication between them.
Right, they're communicatingbetween the different business
(22:57):
units and allows them to helpensure that you have enforcement
and auditing as you're goingforward.
Now, one thing to keep in mindis the fact that, as you're
dealing with financialinstitutions and with healthcare
, audit is a big factor andhaving audit involved, they're
going to want to see all thisdocumentation.
Having this defined makes audithappy.
When audit is happy, you arehappy.
(23:17):
So you want to make sure youkeep audit happy.
Okay, did I say that?
Enough Procedures these aredesigned to minimize errors.
Again, they want to have thepoint of that.
You actually will go througheach bullet.
They're more of a checklist,like a job aid kind of thing.
Well, not really a job aid,that's more of a guideline, but
they're kind of an aid intraining and so forth.
They help guide you in adirection you need to go.
(23:38):
Guidelines can be like a jobaid.
They offer flexibility, promotebest practices.
They kind of give you contextabout specific institutions.
Now, there's a thing called abaseline and this might be what
they call a well, not what mightthey call it.
They do call it.
It's like a minimum acceptablesecurity posture.
I've dealt with baselines andminimum acceptable security
criteria.
(23:58):
When you're dealing with alarge organization, it helps you
identify what is the minimumstandard that you want to have.
This may be documented in aform or a guideline.
It could be documented in aprocedure, but it's a minimum
acceptable security posture.
Is there a perfect thing forthis?
No, you can do it.
However, you want the keybullets to remember is policies,
(24:18):
standards, procedures are thethree main buckets you got to
deal with your guidelines, yourbaselines and those other
aspects of control.
Objectives kind of all flowinto this.
But and I know this is a lotand you're going I don't
understand all this.
I highly recommend you go toCISP Cyber Training.
You watch the videos that Ihave.
It'll walk you through it overand over again.
(24:39):
Listen to this podcast multipletimes and it will help you kind
of formalize it in your mind.
So what is the importance ofdefining this security
documentation?
I'm going to come back to thisagain Based on risk assessments.
Depending on, like, if you'rein the financial industry, you
may have a risk assessment.
You may have legal regulatoryrequirements that force it.
You've got to have specificdocumentation, and this helps
(25:02):
address specific issues or gapsthat may be identified.
I'm going to give you a goodexample.
I'm working with a gentlemanright now Very smart man, super
smart.
He leads security for anorganization.
This guy's got it togetherright.
He's got really good plans,he's got really good
capabilities, good people, buthis documentation stinks.
And the point of it is is he'slike, well, I don't need it,
(25:23):
their auditors aren't asking forit.
They ain't asking for it now,but they will ask for it.
And if you don't, I had my CIOmade a comment to me because I
sometimes have a cluttered desk.
You know, my desk gets a littlemessy at times and he came up
to me and he says you know whatCluttered desk, cluttered mind
and I'm like, well, I don'tnecessarily agree with that, but
I get what you're saying right.
The point of it is, if youdon't have this stuff documented
(25:44):
, it's, it's kind of cluttereddesk, cluttered mind.
Uh, you need to document thesepieces because they're super
important.
One it gives a legal issue thatmay come up.
You're documented.
Two, if you as the expert,let's say you are the person and
you've got all the knowledge.
You're on in a trip in Hawaiiand now everybody's going.
(26:07):
I don't know what to do becausethere's nothing documented.
They're going to be calling youin Hawaii with you and your
wife on the sandy beaches justrelaxing, drinking a Mai Tai,
and, yeah, then you're going tohave to deal with that mess.
The goal is you got to documenteverything you just do, defining
scope and audience, thisclearly outlining each of the
systems, departments, usergroups.
All of that is being definedwith your scope and who your
(26:27):
specific audience is, but it'salso tailoring the language in
your documentation to the levelof detail.
For the specific audit, as anexample, the policy should be
very high level, should betargeting the entire audience of
your company.
So you got to get again thirdgrade level, maybe even first,
depending on what your companydoes, but you got first.
You know, if you're taking careof babies, maybe first grade, I
(26:50):
don't know, but you got firstto third grade levels and you
want to do that from a policystandpoint.
However, if you are the SOC andyou're dealing with incident
response, you're not going toput those different terms at the
third grade level.
They may be a third grade for aSOC analyst, but they're not a
third grade for a CEO.
He won't know what any of thestuff is that you're talking.
(27:11):
He don't even know what a SOCis.
It's something you put on yourfoot.
He wouldn't know.
So, therefore, you need todefine the scope and the
audience specifically for yourorganization.
Again, I'm making generalities.
He probably knows what the SOCis, but people don't, right.
You say that word and they haveno clue what you mean by that.
Content creation andcollaboration.
You want to make sure this is akey piece.
(27:31):
I'm creating content for thisthird party, for this company,
and it's good content.
Just ask me right, it's awesomecontent.
However, if they're notinvolved in this overall process
, I'm going to be talking tothem and we're going to go right
past each other because I'mgoing to use words or jargon
that may they may not relate toor understand and because of
that, they're going to go.
I don't get it.
(27:52):
So you need to ensure you haveclarity.
You need to make sureeverybody's involved.
All the teams are involvedLegal compliance, hr, ciso any
of the BISOs, which is yourbusiness information security
officers any of those folks.
All the key people need to beinvolved and you need to have
clear, concise, unambiguouslanguage.
(28:13):
Avoid technical jargon wheneverpossible.
Again, the technical jargonshould probably be in the
procedures and that's about it.
You really want to keepeverything else very high level,
which makes it challenging.
So you also need to have anapproval process.
This is establishing a formalprocess for review and approval
by the appropriate levels ofmanagement You've got to have
(28:34):
the CISO has to approve it.
The CIO has to approve it.
Your director of securityoperations has to approve it,
depending upon where it's at inthe overall plan.
If it's a procedure, probablydirector of security operations.
If it is a standard, it's mostlikely the CISO.
If it is a policy, probably theCIO.
So those are the differentpieces of it, right.
(28:55):
So you need to have that done,and it also helps ensure
accountability and buy-in fromyour specific leadership.
They're aware it's not justSean going off and doing his own
thing in the corner.
Just let Sean be, throw somepizza at him, he'll go do his
stuff.
Leadership is going to beaccountable and responsible for
much of the things you talkabout.
(29:16):
As an example, I'm using aconnect and reconnect playbook
right now and that basicallymeans is that if I'm dealing
with, say, I'll use it in when Iwas working in the
manufacturing space, we hadconnections with third parties
and we would send them verycritical data, and these third
parties would be governmententities.
We would send them criticaldata around what's happening at
our facility.
If I'm sending them a documentor just whatever and I have to
(29:38):
shut it off because of a malwareincident, I have to have a plan
on how I'm going to shut it off.
I also have to have a plan onwho is going to approve this
shut off, and in many cases it'sa CISO.
I could do that, but Idocumented that all the way up
to my CIO and then he I wasassuming that he then which he
did bring it up to the CFO andthe COO to make sure they were
(30:00):
aligned with it.
Again, the approval process.
I had the decision rights to doit.
I could do it.
However, I wanted to make surethat there was a paper trail
from when I said I'm doing it,that everybody is aligned with
what I'm actually trying toaccomplish, because there are
consequences that happen themoment you turn that stuff off
Regulatory fines, people withguns start knocking on your door
(30:26):
.
All these things can happen toyou if you do this incorrectly.
So again, these are the yearsof knowledge that you won't get
from just a book or a guy thattells you I'm going to make you
a millionaire by just studyingcybersecurity.
That's craziness, but thatstuff you're going to get with
CISSP, cyber training.
Sorry, just a little bit of atangent.
You need to establish a schedulefor periodic review, update
based on changes in technology,threats, regulations and
(30:48):
business needs.
All of these things need to bedone.
You need to have versioncontrol and maintenance on each
of these documentations that youput out Again, documenting the
details.
Part two your centralizedrepository.
You need to store these thingsin a central location.
I dealt with auditors and theywant to see it, they want to be
able to touch it, they want toknow where that's stored and
that the fact that everybodyelse has access to it as well.
(31:10):
So a central location it can bewhatever you want it to be, it
just needs to be in a centralspot and everybody needs to know
it's there.
It's not just Sean knows it'sthere and nobody else knows it's
there.
Everybody needs to know whereit is stored at.
Considering electronic documentmanagement systems for version
control and access management,you may want that, I know in the
legal space.
Hummingbird is one that they'veused, I've dealt with in the
(31:32):
past but any sort of legaldocumentation, it's a check-in,
check-out kind of thing.
You may want that, dependingupon your company and how
detailed you want to get withyour documentation Clear and
concise formatting.
The formatting must be the same.
Another thing to think about ifyour policy standards, all of
those have the same type offormatting and it gets down to a
procedure and the proceduredoesn't look the same, most
(31:56):
people are like, yeah, so what?
It doesn't have to look thesame.
I agree it doesn't necessarilyhave to.
Most people are like, yeah, sowhat?
It doesn't have to look thesame.
I agree it doesn't necessarilyhave to, but it should flow the
same.
If you're having purpose, scope, outline, overview, all of
those kind of buckets, roles andresponsibilities, they should
mirror going all the way downfrom your policy down to your
procedures.
And again, it's just helpingwith standardization.
(32:17):
It's helping with people seeingsomething over and over again
and they actually understandwhen they see it.
So, as an example, they've seena policy and they know what it
looks like.
You see a standard and theyknow what it looks like.
Something comes up on a webpagethat looks just like those two
things.
Well, it's probably some sortof documentation very similar to
your policy and standards.
Ah, okay, without even readingit, they can see that.
(32:38):
So it's an important part.
Consider we talked about theformatting, communication and
awareness.
This is imperative.
I'm running into this right now.
You need to make sure thateverybody's aligned with what
you're trying to accomplish.
People need to be aware, from atraining standpoint, of what
exactly is a standard, what is aprocedure, what's in it?
Why are you doing it?
People need to know thisbecause one it's just important
(33:01):
for your organization to pushthis out through your
organization and if they're nottaught what it is, they're not
going to really even use it.
Good example around this is theuse of CRI, which is a
cybersecurity risk institute,and it's a way that's kind of a
framework that falls under NISTcybersecurity framework, but
it's kind of in conjunction thatfinancial institutions are
using.
I'm in this contract and we'rehelping them with their
(33:25):
implementation of CRI is oneaspect.
But when I mentioned CRI tothese people, they have
absolutely no clue what I'mtalking about.
But yet the organization, thetop level organization, says we
are going to use CRI.
But as you go down into theminions down below.
Nobody even understands what itmeans.
So it's imperative that youhave communication and awareness
around.
What is the overall plan?
Use various training methodssuch as internet, internet
(33:46):
postings, training sessions andthen email notifications again,
getting this information out topeople.
Training and awareness programswe talk about that.
Again, it's imperative that youdo those and it helps reinforce
the understanding andcompliance throughout what's
ongoing within your company.
Imperative, imperative you mustdo these.
I know people don't like to dothem, because you've got to go
talk to people and you've got toconstantly be yapping and
(34:06):
you've got to go.
It's one more thing I've got todo on my list of 8 million
other things I've got to do.
I get it.
You've just got to do it.
Just suck it up, buttercup, getit done.
Integration into businessprocesses you need to make sure
that as you build in thesepolicies, procedures and
guidelines, they build them intoyour business processes as well
.
Workflows I see this time andagain.
(34:28):
Nobody builds a process or aworkflow, they just kind of go
yep, here's a document, go away.
I'm going to continue doingwhat I'm doing and again, that
can work fine in smallerorganizations, but as your
organization grows, that willnot work.
You also may not want I'm goingto have a process for this and
a process for that and a processfor this.
That's just too much.
(34:49):
But there's some things youneed to have a process for, such
as business email compromise.
How do I deal with moving money?
That's a big one.
You want to have a process forthat.
You want to follow the processbehind it.
Multi-factor authenticationProvisioning new people within
your organization you need tohave a process on how to do that
.
Storing credentials in a PAMPrivileged Access Management
(35:11):
System you want to have aprocess on how to do that.
All of those things.
I'm beating the drum on this,but they're imperative that you
do build these things out withinyour company.
So it's just part of doingbusiness.
Enforcement mechanisms you needto have clear consequences for
noncompliance with mandatorypolicies and standards.
(35:31):
Again, you got to have a way tobeat people over the head with
a stick not physically.
You don't want to hurt them andthat would be called assault.
We don't want that.
But you got to have a way thatyou can then enforce the fact
that you are saying you must godo, son, you must go do, young
lady, what I'm telling you to do?
Man?
I just sound like an old crustyfart when I said that you must
go do this right.
So therefore, and there'sconsequences If you don't do
(35:52):
this, you will lose access.
If you don't do this, you willbe fired.
Those kind of consequences needto be aware of them.
Implementing technical andadministrative controls to
support the enforcement right.
You check off.
You do too many emails,phishing attempts and you get
caught.
Too many times you emailsphishing attempts and you get
caught.
Too many times you now losenetwork access.
Well, if you don't have networkaccess, you lose your job, so
(36:12):
on and so forth.
Monitoring and auditingcompliance you may have auditors
that will be looking at thingslike this and they are going to
be asking this.
They're going to be monitoringensuring that you are adhering
to your policies, standards andprocedures.
You publish them, you make them.
They're going to hold you to it, not just hey, this is
shelfware.
I'm putting it out there.
I made it.
Everybody look at it.
It's pretty.
(36:33):
No, that's not it.
They need to have policies,standards and procedures.
You need to monitor those, andthen you conduct regular audits
to identify instances ofnoncompliance and areas where
you can improve.
Again, audits are an importantpart of this whole process and
it's I hate to say it, but youlike going.
I got people on top of peopleon top of people and, it's true,
especially dependent upon theorganization you're in.
(36:55):
Now, some organizations youdon't need that, right, if
you're not regulatoryrequirements, you don't want to
have to deal with some of thosepieces.
You may not have to have theauditing and extra additional
aspects, but if you are highlyregulated in industry, yeah,
you're going to need all that,okay.
So in the health care industry,we're going to need all that,
okay.
So in the healthcare industry,we're going to kind of walk
through a couple differentthings and this I want to have
some examples for you.
(37:16):
So we're going to talk about apolicy, an acceptable use policy
for electronic health records.
So you would want to make apolicy on acceptable use, what
is considered acceptable use forhealthcare records, and then
you want to call out what wouldbe like privacy, data integrity,
compliance with HIPAA.
That is an overall policyaround acceptable use.
(37:36):
Now, it could be acceptable usefor BYOD.
Bringing your own device Couldbe acceptable use for using a
company equipment.
It just really depends.
A standard would an example ofthat would be strong
authentication standard foraccessing patient data.
Do you have multi-factorauthentication?
And you must.
It mandates that you havemulti-factor for all personnel
(37:57):
accessing EHR, electronic healthrecords or other systems that
have PHI protected healthinformation.
So again, that would be.
So you start up high, you'vegot your acceptable use, you've
got your now MFA with yourauthentication.
Then you go into a procedure.
This outlines step-by-step whatthe employee must do if they
want to.
They suspect that there's asecurity incident that may
(38:18):
involve PHI.
How are they going to do it?
Who are they going to notify?
What is the phone number?
What is the email?
All of those things would be aprocedure, a step-by-step
guideline.
They also can you can use theterm playbook, might be
something similar to it and thena guideline.
This is for secure disposal ofelectronic devices containing
PHI.
How would you do this?
If you're going to wipe ordestroy hard drives, wipe or
(38:39):
destroy BYOD devices, how areyou going to do that?
That would be what we wouldconsider a guideline.
Now, again, all of these arejust subject to whatever
organization you're in, but youcan see the bigger picture as it
goes from policy standardprocedures and they kind of work
their way down.
Now one thing I would recommendis get with your organization
to make sure that you have thesame terminology.
(39:00):
And I'd say I've been withcompanies that have said I have
a policy, I have a standard andI have a playbook and I have a
program that's an overarchingplan of my entire company.
You got to make sure youunderstand that you're using the
same verbiage for your company.
Policy and standards are prettysimilar, but I have seen
differences between procedures,playbooks, checklists.
(39:20):
They will have a job aid.
It's kind of like yourguideline, but they'll have
different terms based on whatyou're using.
Now we're going to deal withfinancial industry.
What is that?
Do you have a dataclassification policy which
could be set up specificallyaround your policy, and this
would categorize all financialdata based on sensitivity,
confidential, restricted, public, top secret, however you want
(39:42):
to do it, and then they woulddefine these security controls
for each category that it meetsGLBA or PCI, dss, nydfs all of
these different types offinancial pieces are in your
data classification policy.
Then your standard would be anencryption standard for data at
rest or in transit, so like ifyou have data that's being sent
(40:03):
somewhere, how should it beprotected?
What is the protectionmechanism that you're using for
that?
Does it require long key links?
Does it require large passwords?
What does that maintain?
Is there specific algorithms ithas to use and so forth?
That would be the standard.
Then a procedure would be aroundprocessing wire transfers.
What are the steps to avoid BECtype situations?
(40:24):
These are the steps you got toverify.
I call Bill, bill calls Fred,fred calls George and they all
have to agree through DocuSignthat we're going to send a wire
transfer.
That would be a procedure andthat would be done specifically
for dealing with high valuetransactions Guidelines.
This would be like a secureremote access for employees.
If you're using a VPNs or anysort of type of authentication
(40:47):
that's coming into your company.
These are some guidelines onhow to use them.
Here's how your endpointsecurity works for your company.
All of those kinds of pieceswould be in a guideline Again
policy standards, procedures andguidelines.
This is just using a couplesnippets.
It's not all be all, but itgives you an idea of what you're
trying to accomplish when itcomes to these various pieces of
(41:08):
this documentation.
So now some other items toconsider Again.
Consider security minimums,which you kind of talked about
again at the beginning.
What are your cybersecurityminimums?
These can be very specific fordatabases, servers and so forth.
You may have a minimumexpectation set up for servers,
minimum expectations fordesktops.
That could be a part of thisoverall standards process and
(41:30):
you may want to document that.
I would highly recommend youdocument that within your
overall program.
Again, policy standards andcontrols are expected to be
published for anyone within thecompany.
So your policies, yourstandards and your controls are
based in.
Your standards are designed sothat anybody who reads it can
have an understanding around it.
(41:50):
You want to be clear.
So if it's for anybody withinthe company, the verbiage needs
to be very focused on whatyou're trying to accomplish and
avoid acronyms at all costs.
Essentially managed bypotentially a GRC or IRM
platform.
What does that mean?
You may have a governance, riskand compliance platform that
all your data is stored into andif you want to get the document
(42:13):
out, you publish it and thenyou may check it out type of
thing.
They're typically published,maybe potentially as a PDF, in
that format.
That's a good place to storethem in your GRC platform versus
on a webpage.
That's again for your policies,procedures and so forth.
If you can get procedures inthere, I would recommend it.
That's again for your policies,procedures and so forth.
If you can't get procedures inthere, I would recommend it.
But again, central location ofsome kind is really, really
(42:35):
important.
If you have to have twolocations because your
procedures they won't allow youto put it in there, then just
limit it to two.
All my document stuff for mycompany is in one and all my
checklists are in another.
That's fine too, but it justneeds to be well known by
everybody in the organization.
Some things to avoid.
Again, one document that coversall cybersecurity aspects of
(42:55):
business.
I have a policy, a standard, aprocedure all in one document.
Yeah, don't do that.
That would be a bad idea.
Blending high-level policieswith others, such as procedures,
can cause confusion.
And again, you're going.
Well, I just have documents forthe sake of documents.
You are correct, you have a lotof documents, but you've got to
put it down because we as humanbeings need something like that
.
You need to be able to step itthrough, step by step by step.
(43:17):
Provide all documentations toeveryone.
Everyone within yourorganization needs to have
access to these documents.
Specifically Now, proceduredocuments may or may not be
available.
You may have a set ofprocedures that you want to push
out to everybody so everybodycan see them, but you have your
(43:38):
super secret hidden menu itemsoff to the side.
I'm kind of torn on this wholething.
I've seen organizations thathave done that.
Personally, if everybody in theorganization needs to know how
you configure your spam filter,I don't think they need to.
I think that's a very specificthing for you and I don't think
it needs to be published byeverybody your standards, your
control objectives, your policy.
Yes, most definitely Playbooks.
(43:58):
That depends on theorganization, but there might be
situations where, if you'regoing to do that, where some
playbooks or procedures can beout there for everybody to see,
then you need to keep everythingin one location.
So, as an example, you wouldn'thave one within a GRC platform,
one within a SharePointplatform that's open to
everybody and another one withinanother SharePoint that is
(44:21):
limited.
I would consolidate that.
Take that down to two insteadof three.
So something to consider inthat regard.
Defining documents to be auditready thus is not a useful
document, okay.
So this is the problem.
Right, I made this document andit's got all the right language
in it.
It's audit ready.
If they audit it, it's gonnalook amazing, they're gonna pass
(44:42):
me.
It's not useful.
Okay, that is just not useful.
Auditors are people just likeyou.
Be concise, be clear, tell themwhat you're trying to
accomplish and make it adocument that people will
reference and use, becauseotherwise you're just making
work for yourself and whatyou're doing is you're trying to
put something out there to gowell, hey, if I do this, I'll
keep the auditors away.
No, that is not the approachwith this.
(45:04):
This will not work.
If you do that, I mean it'llwork for a period of time, but
then something's going to happenand you're going to go.
I wish I didn't do that.
So you need to just go from thebeginning, rip the band-aid off
and do it the way you should doit, and then you don't have to
worry about it.
Cookie cutter approach withdocumentation on policies,
control objectives, etc.
Okay, so I say that and thatthey need to be the.
(45:25):
The documentation needs to flow, it needs to be consistent, but
you don't just go copy paste,copy paste.
I've seen it where people havehad documentation and they pull
it right out of the NISTcybersecurity framework and they
put their control objective inthere exactly how it would read
within the framework, and itdoesn't really help and what
ends up happening is peopledon't really even understand
what that word means.
They don't understand what thecontrol objective means.
(45:46):
You have to take these controlobjectives that are out of NIST
or out of the frameworks thatyou deal with and put them in
your standards and word them ina way that meets what you're
trying to accomplish, so thatpeople can read it and go oh
yeah, that makes total sense,versus going MFA, tied to the
fourth power, tied to this, tiedto that is for only smart
(46:07):
people who really can understandthis sentence.
Then you're going oh, that'snot a really good control
objective because people like mewould go I have no clue what
you're talking about.
So an important piece of thatyou need to make sure that you
understand what you're trying toconvey.
These are some of theframeworks.
Again, you have the NISTcybersecurity framework, cri
800-171, 853, 27002 for ISO Allof those are available.
(46:30):
You can get all that stuffonline.
You can get access to it.
I highly recommend if you'regoing to be in security.
Yes, you got to read this stuff.
It's boring, it'll put you tosleep at night, but it's very,
very important that youunderstand it, because you will
be held accountable to it andyou're also taking your CISSP
test.
Ah, guess what?
It's probably going to be onthe test in some form or fashion
(46:50):
.
So understanding it is going tobe an important part of what
you're doing.
Okay, that is all I have foryou today.
And again, I'm excited to seeCISSP Cyber Training.
You need to go to CISSP CyberTraining.
You need to check it out.
It's all there and availablefor you.
I've got a mentorship program.
I've got just.
You can get access just to thedocument, all of my test
(47:10):
questions.
You can get access to all mycontent, my videos.
All of this stuff is available.
You can read and study it forit on your own.
So, again, cissp Cyber Trainingis designed for the self-study
person.
This is designed specificallyfor you that are wanting to take
the CISSP but you don't want tospend $15,000 on going to a
training program and you have tospend $15,000 on going to a
(47:32):
training program and you havemaybe don't have the time to do
that.
This is designed specificallyto give you that benefit and I
don't charge a lot for my videosbecause I want you to have the
access and have it available toyou.
However, you've got to put thetime and the effort into it.
You've got to focus on studyingfor this exam.
I wish I would have had myblueprint that I've created
specifically for CISSP cybertraining, and I wish I would
have had it, because I wentthrough and studied the book
(47:53):
from beginning to end, writingnotes, doing all of those things
over and over and over and over, trying to understand what the
heck I'm trying to get here, andI still failed the test.
I didn't have this level ofknowledge.
I didn't have someone teachingme this.
This is 20 plus years ofsecurity experience that I'm
(48:16):
trying to give you that willhelp you pass the CISSP.
I deal with CISSP stuff on adaily basis, every bit of domain
aid.
I'm dealing with it all thetime, every single day.
This is stuff that you can useto help you pass the test the
first time, and if it's not thefirst time, that's okay too.
It'll help you pass the darntest, because that's what it's
about.
You need to get the test so youcan move on and enhance your
cyber career and help protectall these people that are being
taken advantage of by thesecybersecurity nut jobs Not
(48:37):
cybersecurity the stealer people, the people that are stealing
your stuff right, those guys,they're crazy, they're stealing
stuff.
You need you to help them.
All right, beat that drum todeath.
See, my third grade educationdid come out right there.
You saw it.
All right, have a wonderful dayand
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go cybersecurityknowledge.
Speaker 2 (00:26):
All right, let's get started.
Hey y'all, sean Gerber, withCISSP, cyber Training, and hope
you all are having a beautifullyblessed day today.
Yeah, today we are going to betalking about Domain 1 and
Domain 1.7, where we're going tobe dealing with policies,
standards, procedures andguidelines Riveting.
It's going to be amazinglyriveting, I guarantee you,
because policies and proceduresare always super incredibly
(00:49):
riveting I can't think of theright word but enticing Some
other big adjective that youcould possibly use.
But, that being said, before weget started, I wanted to pull
up an article, and I first gotstuck on an article that I was
about ready to just throw up inmy mouth.
But obviously this Peteeteheggseth scans uh signal scandal
issue.
This is in a wired magazine.
I started off with this andthought, oh yeah, okay, my gosh.
(01:12):
I mean, you got to know there's, there are smart people
somewhere in dc and you're going.
What are you people thinking?
and I know, half of the timewhen you're dealing with news,
uh, the truth is somewhere inthe middle.
But this was like just kind ofmaking my my boil until I was
scrolling down and then Idecided, as I'm scrolling
through the pages, then I go, oh, what is this bullet, you know?
(01:32):
Obviously it's a little bit ofclickbait for me, which is great
because this came up, which ismuch more enticing, related to
cyber criminals, stolerecord-breaking 6.6 billion from
US entities.
So, hey, I pulled that one upand that was actually very, very
interesting.
So this came out of the FBI'sInternet Crime Compliance Center
, or IC3, and we've all talkedabout them in various podcasts
(01:55):
that we've had within the CISSP,cyber Training.
But one of the impacts that I,when I read this article, I was
like just, I mean, as you readthese articles, you're not
shocked, right, but you areshocked, you're just stunned at
the size and scope of all ofthis.
Well, what they basically saidis that in 2024, there was a 33%
increase right In losses from2023.
(02:20):
So you're talking a 30, that'sa huge number.
I mean, we're not even talking.
In my business, you're happy tomake 12% of your margin, right?
If you make 12%, you're makingmoney you're doing well, but
when you're talking cybercriminals, they had a 33%
increase compared to what theyhad in 2023.
So again, I gotta make sure Iget my numbers right 2024 was a
(02:41):
33% increase from 2023.
So obviously, some of the keypoints of this article which you
guys can go check out and Ithink you'll, you'll probably
enjoy, but some key pointsaround this are phishing,
spoofing, becs you know your 10standard business email
compromises, ransomware and soforth.
But just to kind of throw alittle bit of you know idea
(03:02):
around, what's all happeninghere is the investment fraud.
So this is involvingcryptocurrency.
They had the greatest financialdamage, which was totaling
around $6.57 billion in lastyear.
So what it comes down to isthat people are going hey, I
would like to order, I want toget in crypto and I also want to
(03:23):
get into cyber.
So, hey, let's do that, let'sdo this, and as they do it, what
ends up happening is they givetheir money to these people who
really don't that.
They have no plan on doing anysort of investments.
So it's very telling.
The other part of that wasinteresting is that individuals
over 60 were the most targeteddemographic and thus the highest
(03:43):
financial losses.
What does that mean?
Well, I'm fast approaching 60.
So what are people doing?
They're going.
Well, maybe I don't have enoughin my retirement account to be
able to retire.
And so what do they do?
Well, hey, crypto's on fire,let's go.
I'll do that.
Let's invest my money.
Whatever little money I haveleft, I'm going to invest it in
this crypto stuff.
(04:03):
And what ends up happening?
Yeah, not so good.
They end up losing it.
So that is really crazy.
They also made a comment thatcyber-enabled fraud accounted
for nearly 83% of all lossesreported to IAC3 in 2024.
So that cyber-related stuff isa monster.
So you all, as you're studyingfor your cissp, you guys are the
(04:26):
front line and helping peopleget deal with all these issues.
Now, if you're in a business,one of the things that I think
is is telling and this issomething that you can't really
put um, any sort of of controlin place other than training and
awareness as it relates tobusiness email compromises.
So now, business emailcompromise they talked about in
this article was around $2.7billion.
(04:48):
So if you teach your executivesand you teach your leadership
related to how to handlebusiness email compromises where
someone gets in the middle ofan email and the email chain and
they act like somebody elsesaying hey, please wire some
money to XYZ.
Happens to supply chain,happens to main CEOs, if you can
(05:08):
get into that supply or intothat group.
So where you are training yourCEOs, your senior leaders, on
what to look out for, thisnumber dramatically drops.
There isn't much you can put inplace.
I mean, there's probably somesort of controls out there, a
little bit.
You have an easy button, youmash a button and it hopefully
fixes your BEC problem.
There are some of that withsome of your filters that can
(05:30):
potentially reduce some of theamount of this, but there's
really not much more than justeducation and awareness to train
your CEOs what to watch out forin this space.
That's $2.7 billion.
That's a lot of zeros.
So again, I'm just shocked,just shocked totally.
I mean, we I know these numberswere there, we all knew these
(05:51):
numbers were there.
It's just the fact that it'sjust blowing my mind the fact
that there's this much money andthen there's things in here
that are happening to people.
They're losing it and theydon't know what's happening.
They don't, they won't have anyclue.
So again, you, as cybercybersecurity professionals
studying for your CISSP, it isimperative, absolutely
imperative, that you help thesepeople understand the risk to
(06:14):
their organization.
And again, what it does withyou is it makes you a much
better security person withinyour organization.
It also makes you much moremarketable, and it's the right
thing to do, because thesepeople are targeting people all
the time.
I had an example of that with mejust recently, where there's
some things in our my wife'sbusiness that we were working on
and I had some people phonecall me trying to get me to go
(06:36):
through this process, and Iactually talked to him on the
phone because I had submittedfor this type of thing with the
IRS, and I got somebody calledme back and I'm like, really,
this is interesting.
And I talked to the person onthe phone and the person acted
like they knew my account.
They knew all these things.
I'm going, this is just seemsfishy, something doesn't seem
right here, and so what ended uphappening is then they sent me
(06:59):
a text and said, hey, just putin your banking information.
I'm like, oh oh, this is so, sofishy, so bad.
And so the point came down tois is that anybody can be
tricked, and they have callcenters specifically designed
for these people.
So you got to watch out for it.
There's no one is immune to it,but you as a security
professional.
It's up to you to help them inthis entire process, help your
(07:21):
people, help your peeps, helpyour company and protect them
and protect you in this overallcyber world that we live in.
Okay, let's go ahead and getstarted into what we're going to
talk about today.
Okay, so this is domain 1.7develop, document and implement
security policies and standards,procedures and guidelines.
So I'm dealing with this rightnow in a company that I'm
(07:42):
working for as a contractor andit's's very, very interesting.
You know, I will tell you thatunderstanding the taking, the
CISSP, is one thing taking theexam but understanding how it's
being deployed through anorganization is another.
And working through when I wasin manufacturing, I had, we had
a way we did business right, sothese made sense.
But now I'm working with a muchdifferent organization and so
(08:03):
because of that there's, I havea different perspective that I
did not have before in themanufacturing space.
So I can go tell you howmanufacturing did it, I can tell
you how the book tells you todo it, and, again, plenty of
years of going through this.
But now I have anotherperspective with the financial
institution.
That is just a different animal, and then I also did it with a
healthcare organization as well.
So very, very, very different.
(08:25):
So here's some key concepts.
We're going to talk aboutPolicies and standards.
These are used synonymously butthey're not the same.
You'll hear this going I'musing a policy, I'm creating
this policy, and then they turnaround and use language for a
standard.
They're not the same, but theykind of people blend the words
together.
Also, understanding the termsis an important part of
(08:47):
cybersecurity and compliance.
It's really important.
Depending on the organizationyou're in, it's more important
than others.
Manufacturing it was important.
We had requirements around it,but it was like, okay, it's
there, but it wasn't to thelevel it is.
In the healthcare industry itisn't the same as it is in the
financial industry Verydifferent, but the concepts are
the same.
(09:08):
Confusion around naming againcan be counterproductive.
I've seen this Now I'll be anexample that I was talking to a
financial company and they madethis term tranche.
It's in this tranche.
I'm like what the heck is atranche?
This is what we talk about onCISSP, cyber Training.
Break it down to the thirdgrade level.
You want to have the ability tocommunicate with people and
understand what that is.
So my wife, she's laughingBrilliant.
(09:35):
It was a brilliant joke aboutit.
A tranche is a French trench.
It's a tranche.
No, it's not a French trench,it's actually like a phase.
So the financial industry usedthat term, tranche, I guess.
So now you know, naming can bevery confusing, so you need to
make sure that you use a similarname between everything.
Break it down.
People may be very they arevery smart, but they may use big
words and sometimes those bigwords they assume that everybody
(09:57):
understands what the big wordsmean.
I'm a pig farmer by trade.
I don't know big words andtherefore I don't know big words
.
I ask questions because I'm notvery smart.
Right?
The point is that if I can'tunderstand it, I guarantee you
people in the room can'tunderstand it as well.
Ensure the best cybersecuritypractices and plans.
They all need to behierarchical.
You've got to have them in ahierarchical plan.
(10:19):
We'll go through those in justa minute and they must build
upon each other.
They build and this is afoundational piece of any
organization is understandingyour policies, your procedures,
your guidelines and so forthCybersecurity and data
protection.
They again must focus on allaspects of the business.
You can't just focus on doingthe thing of policies and
procedures for the sake of doingpolicies and procedures.
(10:40):
They've got to focus on any ordifferent aspects of your
company and where you make yourmoney.
Now, as you deal with securitypolicy, these are high-level
statement of management intent,those.
What is the management plan todo?
And we're gonna get into somemore details around each of
these, but it establishes therequirements to guide your
decisions, achieve your outcomes.
What is the overall plan fromthe CEO or the board of
(11:02):
directors?
It is the overarching plan.
So cybersecurity will have itsown policy.
Now, typically, that is acybersecurity policy for your
company.
You wouldn't have a typicallythis doesn't mean you won't, but
in many cases you wouldn't havea very specific like a PAM
policy where you have yourPrivileged Access Management
policy.
(11:22):
Now, you may have a standard orpotentially some procedures
around PAM, but you wouldn'thave a PAM policy per se in most
companies.
Some companies who are dealingwith this specifically may have
that for their needs, but it'ssomething that's formally
established by the CEO or theboard of directors.
Now, as a CISO, I would go andmake this for my CEO or I would
(11:43):
make it for my CIO and theywould then be the ones that
would write off on the policy.
Now, depending on the size ofthe organization, it could come
from me as well.
In our organization previouslife, they brought it all the
way up to the CEO or to the CIOon any of these specific
policies.
They did not come from me,because it would.
In some respects it would bekind of a if the CISO is giving
(12:05):
it out.
It's now just a security thing.
It's not actually acompany-wide thing.
So you wanted to get it up highenough where people would
respect it to be a company-widepolicy.
Now it defines a specific scopeof an organization and it
implores clear and concisedirections.
What does that look?
But it is big.
It's big from an overall viewstandpoint.
(12:26):
It defines the importance ofsecurity and the importance of
protecting company assets.
So again, you want to call allthat out why it's important for
an employee to be able to dothis, why do they have to be
aware of security?
Why do they have to manage it.
And these exceptions to thepolicies do happen, just like
everything we talk about in thisworld.
There are exceptions.
(12:46):
However, they can be very rareand if you want to, you want to
make sure that?
Well, not, if you want to, youreally need to document any
exceptions that are added tothis policy.
So if you have a specificsituation where in your policy,
everybody must have a passwordof 55 characters, right, let's
(13:06):
just say that's the case.
They must have complexpasswords and with an
expectation that it's less than,or it has to be more than, 12
characters.
If you have a situation whereyou have it, allow eight
characters, there would have tobe an exception, and there might
be some equipment that can onlyhave eight characters.
So therefore, that exceptionwould need to be documented.
Another one I have as an exampleon the slide is around formal
policy around scanning systemsIn OT or operational technology
(13:29):
networks.
Scanning can be a big problem.
It can actually cause them toroll over and die, and so,
because of that, you would wantto have some sort of exception
to that rule.
So, again, if it isn't granted,you must make sure you have a
compensating control should beimplemented, or I mean you want
to.
Should is a key term.
You don't have to have it, butyou need to document the fact
(13:52):
that if you're going to allow anexception, what is the
compensating control?
Or are you just going to acceptthe risk for that situation?
So there's types of securitypolicies.
You have organizationalsecurity policy, you have
issue-specific policies and thenyou have advisories.
Now your organizationalpolicies would be a specific
business use case or need andthey can vary between business
(14:12):
units.
They can vary between financial, healthcare, manufacturing.
They all can be in differentplaces.
Now you may have a veryspecific policy, such as issue
where you are sending moneyoutside your organization, ie
the business email compromisewhich we talked about.
You have a policy that says ifwe're going to be sending money
outside of our company, therehave to be two people agree to
(14:33):
this, and one must be the CEO orthe financial person.
The next person must be the CFOand they both must be in sign
using DocuSign to make thishappen.
You can't just say, hey, billyBob called up and said, yo, joe,
please send the money.
Now again, you can do that, butif you have some compensating
controls in place, then you needto make.
(14:54):
Well, you need to have somecompensating controls, other
than calling up Joe and saying,hey, send half a million dollars
to XYZ, but just a bad idea,because in today's world,
especially now with ai and ml,uh, we, you, you can jack up
people's voices to the pointwhere they don't even know who
it is, and I was.
I mentioned this once before inin our podcast.
There was a priest that wasdoing exorcisms and this is
(15:17):
catholic priest I think it wascatholic and he was mentioning
how people.
Now he has changed his, his, uh, overall scheme on how he's
helping people, because there'sfolks that are scamming people
out of money because of the factthat they've used his voice in
doing this.
So it's out there.
You guys have got to beprepared for that.
Also, there's advisory ones,obviously, around acceptable use
(15:40):
activities and then USB usage.
All of those pieces are a partof your security policy and all
of those can be deployed withinyour organization.
So what are the hierarchicalaspects of policies to
procedures?
So how this works is that youlet's just start.
You'll see on the slide there'slike a pyramid looking thing.
Now we're going to start at thebottom, the most basic,
elemental part, where thatdefines the practices.
(16:01):
This is the things that peopleturn knobs, they push buttons,
they do all of these differentpieces and that is a procedure.
Now this is a prescribed set ofimplementation standards and
guidelines.
This helps all of these thingsbuild upon each other.
Now this is understood in manyareas of what they call a SOP or
a Standard Operating ProcedureSOP.
These are typically astep-by-step process in making
(16:26):
these things happen.
So if you go, if you have likea SOC and you have a way that
you would go through and checkto make sure that you have your
spam filters in place, it's astep-by-step checklist that
would walk you through that.
I'm doing a reconnect SOP forsomebody right now playbook kind
of thing and that would be anSOP.
That would be something thatwould be set up and you would go
(16:48):
from how you're going to turnoff a SASP or a service that you
may have.
How are you going to turn itback on.
Those are different types ofSOPs.
Now, military regulatory bodieswill commonly use SOPs, but
it's not just them.
It depends upon theorganization and how they will
use them.
But just think of them as themost elemental piece of your
organization.
It's the step-by-step checklistthat you would occur.
(17:09):
Then the next thing is and oneof the points I want to have is
your hardware, software, how tomake changes.
Again, it's a living document.
That's the other part to thinkabout.
It is a living document withinyour company and it will be
subject to change routinely.
But you do need to make sure,as we get into the documentation
piece of this, you do haverevision control based on this.
(17:30):
They can be very onerous tocreate and maintain, depending
upon where you put them.
I will give you an exampleKeeping them on a SharePoint
site in a PDF form and thenhaving a Word document.
Where you have a Word document,you then make it into a PDF.
You then publish the PDF.
That's very onerous.
You may want those proceduresin maybe something a little bit
(17:51):
more fluid, like maybe just aweb page per se.
Right, you have a web page thathas numerous types of
procedures on it and they clickto it.
The downside with doing that is, if your web page goes down, do
you have access to actualphysical documents that you can
do your procedures on?
Ran out of this in the OT spaceas well.
They actually had books, sothey had it on a web page.
I'm trying to think of the bestway.
(18:12):
But you could have, like aSharePoint site which gives you
a web page.
You could have it on a web page, but they also had printed off
versions of each of theseprocedures because, in the event
that the web goes down, youneed a procedure to be able to
look at and be able to do whatyou need to do.
So, again, they can be onerous.
They do change a lot and you doneed to have a structure, a
life cycle in place to make surethat as you're building these
(18:32):
things, you have a way to putrevisions and also publish new
revisions.
Now a guideline is considered isreally additional information
and guidance.
It's routinely not consideredas a mandatory practice.
You may get these into job aids, they may be some other thing.
That is just helping you giveyou a little bit more context
versus a checklist that youwould have with a procedure.
(18:54):
Now they recommend these onanytime you're implementing a
standard or baseline.
You'd have potentially aguideline to talk about that or
a guideline to talk about theprocedure itself.
Specifically, they, if you lookat the pyramid, they kind of
the next step in a procedure,but they may flow between the
standard and the controlobjectives, depending upon how
you want to detail this out withthe context.
(19:15):
Again, they're more designedfor users and other security
professionals just to understandthe bigger, broader picture of
everything there.
Now the standard this is wherethe organization will set
specific requirements.
This is designed tospecifically deal with control
objectives and we'll kind oftalk about what is a control
objective here in a minute.
Typically they're tactical innature and they specify methods
(19:39):
to meet the specific control.
So you'll have controlobjectives in many cases built
into the standard and how you'regoing to meet them.
So some of the typicaldocuments you'll have is you'll
have a policy, you'll have astandard and then you'll have a
procedure or a playbook and thecontrol objectives will sit
inside the standard.
The guidelines will kind ofhelp maybe give you context
around the standard or on theprocedures, but those are just
(20:02):
kind of the way it's set up.
Again, it depends upon yourorganization and how they play
it out, but typically it'spolicy, standard, procedures.
Now the control objectives.
These design the detail of thecontrol.
Specifically this defines theoutcome that was to be achieved
by implementing the control.
And you may have the fact thatMFA must be enabled in all
(20:24):
external communications.
That would be a control MFA,external communications.
That would be in place in yourstandard.
And so therefore, now it'sdefined that you must have a
multi-factor and you must havenow the control will be any
external communication would bedone with multi-factor, then you
now have to have the implementwill be any external
communication would be done withmulti-factor.
Then you now have to have toimplement.
What tools will you implementto manage that control, that
(20:46):
specific verbiage, that specificline?
And you guys are listening tothis, probably going oh my gosh,
this is so painful, and you'reright, it is.
And a lot of organizations willavoid this because it's painful
.
So what they do is they'll justgo.
We'll put a policy out there.
Everybody, just do your ownthing.
Watch our policy.
Don't do anything you shouldn'tdo.
Let's move, and that's fine,and that will work for a while
(21:09):
until it doesn't.
And then, when it doesn't,you're going to be not happy.
And the reason is is that goingto stop?
Is your policy going to stoppeople from not doing bad things
?
No, they're still going to doit.
Is your standard or guidelineor procedure is going to stop
people from doing bad things?
No, they're still going to doit.
However, if you don't have thisdocumented and now you go to,
basically and I've seen this,lived it where you now are going
(21:33):
to go and sue somebody becausethey stole your stuff, well, one
of the first things they'regoing to say, when you go to sue
them because they stole yourstuff?
Well, do you have thisdocumented in a policy or a
standard or a guideline or aprocedure?
Do you have this documentedanywhere?
No, well, if you don't, thenguess what?
You're probably out of luck.
So the point comes into is thatyou are going to have to deal
(21:54):
with this, whether you like itor not, especially if you're
dealing.
As we get become moreregulatory in nature, it's
definitely going to become abigger factor.
So don't put this off.
You need to do it, develop,develop the time and the energy
and the effort to make it happen.
Now, as we talk about policy,high level statement of
management's intent, what isyour overall plan from your
(22:14):
organization?
And it's divine, divine, divine.
Yeah, it could be divine fromgod, but no, it's not.
It's designed to be implementedby all parts of your business
or organization.
So, again, you want it to flowthrough your entire company and
that policy is the overarchingpiece of this.
So again, just kind of a realquick synopsis of them and the
importance of them policies.
(22:34):
They establish authority, theycommunicate management
commitment and they define thescope.
This is the basis foraccountability within your
company Standards.
They ensure uniformity.
They help reduce the complexityof your organization.
And then the interoperabilitybig $10 word.
Again, it's not third gradelevel big inoperability, see, I
can't even say it, it's just thecommunication between them.
Right, they're communicatingbetween the different business
(22:57):
units and allows them to helpensure that you have enforcement
and auditing as you're goingforward.
Now, one thing to keep in mindis the fact that, as you're
dealing with financialinstitutions and with healthcare
, audit is a big factor andhaving audit involved, they're
going to want to see all thisdocumentation.
Having this defined makes audithappy.
When audit is happy, you arehappy.
(23:17):
So you want to make sure youkeep audit happy.
Okay, did I say that?
Enough Procedures these aredesigned to minimize errors.
Again, they want to have thepoint of that.
You actually will go througheach bullet.
They're more of a checklist,like a job aid kind of thing.
Well, not really a job aid,that's more of a guideline, but
they're kind of an aid intraining and so forth.
They help guide you in adirection you need to go.
(23:38):
Guidelines can be like a jobaid.
They offer flexibility, promotebest practices.
They kind of give you contextabout specific institutions.
Now, there's a thing called abaseline and this might be what
they call a well, not what mightthey call it.
They do call it.
It's like a minimum acceptablesecurity posture.
I've dealt with baselines andminimum acceptable security
criteria.
(23:58):
When you're dealing with alarge organization, it helps you
identify what is the minimumstandard that you want to have.
This may be documented in aform or a guideline.
It could be documented in aprocedure, but it's a minimum
acceptable security posture.
Is there a perfect thing forthis?
No, you can do it.
However, you want the keybullets to remember is policies,
(24:18):
standards, procedures are thethree main buckets you got to
deal with your guidelines, yourbaselines and those other
aspects of control.
Objectives kind of all flowinto this.
But and I know this is a lotand you're going I don't
understand all this.
I highly recommend you go toCISP Cyber Training.
You watch the videos that Ihave.
It'll walk you through it overand over again.
(24:39):
Listen to this podcast multipletimes and it will help you kind
of formalize it in your mind.
So what is the importance ofdefining this security
documentation?
I'm going to come back to thisagain Based on risk assessments.
Depending on, like, if you'rein the financial industry, you
may have a risk assessment.
You may have legal regulatoryrequirements that force it.
You've got to have specificdocumentation, and this helps
(25:02):
address specific issues or gapsthat may be identified.
I'm going to give you a goodexample.
I'm working with a gentlemanright now Very smart man, super
smart.
He leads security for anorganization.
This guy's got it togetherright.
He's got really good plans,he's got really good
capabilities, good people, buthis documentation stinks.
And the point of it is is he'slike, well, I don't need it,
(25:23):
their auditors aren't asking forit.
They ain't asking for it now,but they will ask for it.
And if you don't, I had my CIOmade a comment to me because I
sometimes have a cluttered desk.
You know, my desk gets a littlemessy at times and he came up
to me and he says you know whatCluttered desk, cluttered mind
and I'm like, well, I don'tnecessarily agree with that, but
I get what you're saying right.
The point of it is, if youdon't have this stuff documented
(25:44):
, it's, it's kind of cluttereddesk, cluttered mind.
Uh, you need to document thesepieces because they're super
important.
One it gives a legal issue thatmay come up.
You're documented.
Two, if you as the expert,let's say you are the person and
you've got all the knowledge.
You're on in a trip in Hawaiiand now everybody's going.
(26:07):
I don't know what to do becausethere's nothing documented.
They're going to be calling youin Hawaii with you and your
wife on the sandy beaches justrelaxing, drinking a Mai Tai,
and, yeah, then you're going tohave to deal with that mess.
The goal is you got to documenteverything you just do, defining
scope and audience, thisclearly outlining each of the
systems, departments, usergroups.
All of that is being definedwith your scope and who your
(26:27):
specific audience is, but it'salso tailoring the language in
your documentation to the levelof detail.
For the specific audit, as anexample, the policy should be
very high level, should betargeting the entire audience of
your company.
So you got to get again thirdgrade level, maybe even first,
depending on what your companydoes, but you got first.
You know, if you're taking careof babies, maybe first grade, I
(26:50):
don't know, but you got firstto third grade levels and you
want to do that from a policystandpoint.
However, if you are the SOC andyou're dealing with incident
response, you're not going toput those different terms at the
third grade level.
They may be a third grade for aSOC analyst, but they're not a
third grade for a CEO.
He won't know what any of thestuff is that you're talking.
(27:11):
He don't even know what a SOCis.
It's something you put on yourfoot.
He wouldn't know.
So, therefore, you need todefine the scope and the
audience specifically for yourorganization.
Again, I'm making generalities.
He probably knows what the SOCis, but people don't, right.
You say that word and they haveno clue what you mean by that.
Content creation andcollaboration.
You want to make sure this is akey piece.
(27:31):
I'm creating content for thisthird party, for this company,
and it's good content.
Just ask me right, it's awesomecontent.
However, if they're notinvolved in this overall process
, I'm going to be talking tothem and we're going to go right
past each other because I'mgoing to use words or jargon
that may they may not relate toor understand and because of
that, they're going to go.
I don't get it.
(27:52):
So you need to ensure you haveclarity.
You need to make sureeverybody's involved.
All the teams are involvedLegal compliance, hr, ciso any
of the BISOs, which is yourbusiness information security
officers any of those folks.
All the key people need to beinvolved and you need to have
clear, concise, unambiguouslanguage.
(28:13):
Avoid technical jargon wheneverpossible.
Again, the technical jargonshould probably be in the
procedures and that's about it.
You really want to keepeverything else very high level,
which makes it challenging.
So you also need to have anapproval process.
This is establishing a formalprocess for review and approval
by the appropriate levels ofmanagement You've got to have
(28:34):
the CISO has to approve it.
The CIO has to approve it.
Your director of securityoperations has to approve it,
depending upon where it's at inthe overall plan.
If it's a procedure, probablydirector of security operations.
If it is a standard, it's mostlikely the CISO.
If it is a policy, probably theCIO.
So those are the differentpieces of it, right.
(28:55):
So you need to have that done,and it also helps ensure
accountability and buy-in fromyour specific leadership.
They're aware it's not justSean going off and doing his own
thing in the corner.
Just let Sean be, throw somepizza at him, he'll go do his
stuff.
Leadership is going to beaccountable and responsible for
much of the things you talkabout.
(29:16):
As an example, I'm using aconnect and reconnect playbook
right now and that basicallymeans is that if I'm dealing
with, say, I'll use it in when Iwas working in the
manufacturing space, we hadconnections with third parties
and we would send them verycritical data, and these third
parties would be governmententities.
We would send them criticaldata around what's happening at
our facility.
If I'm sending them a documentor just whatever and I have to
(29:38):
shut it off because of a malwareincident, I have to have a plan
on how I'm going to shut it off.
I also have to have a plan onwho is going to approve this
shut off, and in many cases it'sa CISO.
I could do that, but Idocumented that all the way up
to my CIO and then he I wasassuming that he then which he
did bring it up to the CFO andthe COO to make sure they were
(30:00):
aligned with it.
Again, the approval process.
I had the decision rights to doit.
I could do it.
However, I wanted to make surethat there was a paper trail
from when I said I'm doing it,that everybody is aligned with
what I'm actually trying toaccomplish, because there are
consequences that happen themoment you turn that stuff off
Regulatory fines, people withguns start knocking on your door
(30:26):
.
All these things can happen toyou if you do this incorrectly.
So again, these are the yearsof knowledge that you won't get
from just a book or a guy thattells you I'm going to make you
a millionaire by just studyingcybersecurity.
That's craziness, but thatstuff you're going to get with
CISSP, cyber training.
Sorry, just a little bit of atangent.
You need to establish a schedulefor periodic review, update
based on changes in technology,threats, regulations and
(30:48):
business needs.
All of these things need to bedone.
You need to have versioncontrol and maintenance on each
of these documentations that youput out Again, documenting the
details.
Part two your centralizedrepository.
You need to store these thingsin a central location.
I dealt with auditors and theywant to see it, they want to be
able to touch it, they want toknow where that's stored and
that the fact that everybodyelse has access to it as well.
(31:10):
So a central location it can bewhatever you want it to be, it
just needs to be in a centralspot and everybody needs to know
it's there.
It's not just Sean knows it'sthere and nobody else knows it's
there.
Everybody needs to know whereit is stored at.
Considering electronic documentmanagement systems for version
control and access management,you may want that, I know in the
legal space.
Hummingbird is one that they'veused, I've dealt with in the
(31:32):
past but any sort of legaldocumentation, it's a check-in,
check-out kind of thing.
You may want that, dependingupon your company and how
detailed you want to get withyour documentation Clear and
concise formatting.
The formatting must be the same.
Another thing to think about ifyour policy standards, all of
those have the same type offormatting and it gets down to a
procedure and the proceduredoesn't look the same, most
(31:56):
people are like, yeah, so what?
It doesn't have to look thesame.
I agree it doesn't necessarilyhave to.
Most people are like, yeah, sowhat?
It doesn't have to look thesame.
I agree it doesn't necessarilyhave to, but it should flow the
same.
If you're having purpose, scope, outline, overview, all of
those kind of buckets, roles andresponsibilities, they should
mirror going all the way downfrom your policy down to your
procedures.
And again, it's just helpingwith standardization.
(32:17):
It's helping with people seeingsomething over and over again
and they actually understandwhen they see it.
So, as an example, they've seena policy and they know what it
looks like.
You see a standard and theyknow what it looks like.
Something comes up on a webpagethat looks just like those two
things.
Well, it's probably some sortof documentation very similar to
your policy and standards.
Ah, okay, without even readingit, they can see that.
(32:38):
So it's an important part.
Consider we talked about theformatting, communication and
awareness.
This is imperative.
I'm running into this right now.
You need to make sure thateverybody's aligned with what
you're trying to accomplish.
People need to be aware, from atraining standpoint, of what
exactly is a standard, what is aprocedure, what's in it?
Why are you doing it?
People need to know thisbecause one it's just important
(33:01):
for your organization to pushthis out through your
organization and if they're nottaught what it is, they're not
going to really even use it.
Good example around this is theuse of CRI, which is a
cybersecurity risk institute,and it's a way that's kind of a
framework that falls under NISTcybersecurity framework, but
it's kind of in conjunction thatfinancial institutions are
using.
I'm in this contract and we'rehelping them with their
(33:25):
implementation of CRI is oneaspect.
But when I mentioned CRI tothese people, they have
absolutely no clue what I'mtalking about.
But yet the organization, thetop level organization, says we
are going to use CRI.
But as you go down into theminions down below.
Nobody even understands what itmeans.
So it's imperative that youhave communication and awareness
around.
What is the overall plan?
Use various training methodssuch as internet, internet
(33:46):
postings, training sessions andthen email notifications again,
getting this information out topeople.
Training and awareness programswe talk about that.
Again, it's imperative that youdo those and it helps reinforce
the understanding andcompliance throughout what's
ongoing within your company.
Imperative, imperative you mustdo these.
I know people don't like to dothem, because you've got to go
talk to people and you've got toconstantly be yapping and
(34:06):
you've got to go.
It's one more thing I've got todo on my list of 8 million
other things I've got to do.
I get it.
You've just got to do it.
Just suck it up, buttercup, getit done.
Integration into businessprocesses you need to make sure
that as you build in thesepolicies, procedures and
guidelines, they build them intoyour business processes as well
.
Workflows I see this time andagain.
(34:28):
Nobody builds a process or aworkflow, they just kind of go
yep, here's a document, go away.
I'm going to continue doingwhat I'm doing and again, that
can work fine in smallerorganizations, but as your
organization grows, that willnot work.
You also may not want I'm goingto have a process for this and
a process for that and a processfor this.
That's just too much.
(34:49):
But there's some things youneed to have a process for, such
as business email compromise.
How do I deal with moving money?
That's a big one.
You want to have a process forthat.
You want to follow the processbehind it.
Multi-factor authenticationProvisioning new people within
your organization you need tohave a process on how to do that
.
Storing credentials in a PAMPrivileged Access Management
(35:11):
System you want to have aprocess on how to do that.
All of those things.
I'm beating the drum on this,but they're imperative that you
do build these things out withinyour company.
So it's just part of doingbusiness.
Enforcement mechanisms you needto have clear consequences for
noncompliance with mandatorypolicies and standards.
(35:31):
Again, you got to have a way tobeat people over the head with
a stick not physically.
You don't want to hurt them andthat would be called assault.
We don't want that.
But you got to have a way thatyou can then enforce the fact
that you are saying you must godo, son, you must go do, young
lady, what I'm telling you to do?
Man?
I just sound like an old crustyfart when I said that you must
go do this right.
So therefore, and there'sconsequences If you don't do
(35:52):
this, you will lose access.
If you don't do this, you willbe fired.
Those kind of consequences needto be aware of them.
Implementing technical andadministrative controls to
support the enforcement right.
You check off.
You do too many emails,phishing attempts and you get
caught.
Too many times you emailsphishing attempts and you get
caught.
Too many times you now losenetwork access.
Well, if you don't have networkaccess, you lose your job, so
(36:12):
on and so forth.
Monitoring and auditingcompliance you may have auditors
that will be looking at thingslike this and they are going to
be asking this.
They're going to be monitoringensuring that you are adhering
to your policies, standards andprocedures.
You publish them, you make them.
They're going to hold you to it, not just hey, this is
shelfware.
I'm putting it out there.
I made it.
Everybody look at it.
It's pretty.
(36:33):
No, that's not it.
They need to have policies,standards and procedures.
You need to monitor those, andthen you conduct regular audits
to identify instances ofnoncompliance and areas where
you can improve.
Again, audits are an importantpart of this whole process and
it's I hate to say it, but youlike going.
I got people on top of peopleon top of people and, it's true,
especially dependent upon theorganization you're in.
(36:55):
Now, some organizations youdon't need that, right, if
you're not regulatoryrequirements, you don't want to
have to deal with some of thosepieces.
You may not have to have theauditing and extra additional
aspects, but if you are highlyregulated in industry, yeah,
you're going to need all that,okay.
So in the health care industry,we're going to need all that,
okay.
So in the healthcare industry,we're going to kind of walk
through a couple differentthings and this I want to have
some examples for you.
(37:16):
So we're going to talk about apolicy, an acceptable use policy
for electronic health records.
So you would want to make apolicy on acceptable use, what
is considered acceptable use forhealthcare records, and then
you want to call out what wouldbe like privacy, data integrity,
compliance with HIPAA.
That is an overall policyaround acceptable use.
(37:36):
Now, it could be acceptable usefor BYOD.
Bringing your own device Couldbe acceptable use for using a
company equipment.
It just really depends.
A standard would an example ofthat would be strong
authentication standard foraccessing patient data.
Do you have multi-factorauthentication?
And you must.
It mandates that you havemulti-factor for all personnel
(37:57):
accessing EHR, electronic healthrecords or other systems that
have PHI protected healthinformation.
So again, that would be.
So you start up high, you'vegot your acceptable use, you've
got your now MFA with yourauthentication.
Then you go into a procedure.
This outlines step-by-step whatthe employee must do if they
want to.
They suspect that there's asecurity incident that may
(38:18):
involve PHI.
How are they going to do it?
Who are they going to notify?
What is the phone number?
What is the email?
All of those things would be aprocedure, a step-by-step
guideline.
They also can you can use theterm playbook, might be
something similar to it and thena guideline.
This is for secure disposal ofelectronic devices containing
PHI.
How would you do this?
If you're going to wipe ordestroy hard drives, wipe or
(38:39):
destroy BYOD devices, how areyou going to do that?
That would be what we wouldconsider a guideline.
Now, again, all of these arejust subject to whatever
organization you're in, but youcan see the bigger picture as it
goes from policy standardprocedures and they kind of work
their way down.
Now one thing I would recommendis get with your organization
to make sure that you have thesame terminology.
(39:00):
And I'd say I've been withcompanies that have said I have
a policy, I have a standard andI have a playbook and I have a
program that's an overarchingplan of my entire company.
You got to make sure youunderstand that you're using the
same verbiage for your company.
Policy and standards are prettysimilar, but I have seen
differences between procedures,playbooks, checklists.
(39:20):
They will have a job aid.
It's kind of like yourguideline, but they'll have
different terms based on whatyou're using.
Now we're going to deal withfinancial industry.
What is that?
Do you have a dataclassification policy which
could be set up specificallyaround your policy, and this
would categorize all financialdata based on sensitivity,
confidential, restricted, public, top secret, however you want
(39:42):
to do it, and then they woulddefine these security controls
for each category that it meetsGLBA or PCI, dss, nydfs all of
these different types offinancial pieces are in your
data classification policy.
Then your standard would be anencryption standard for data at
rest or in transit, so like ifyou have data that's being sent
(40:03):
somewhere, how should it beprotected?
What is the protectionmechanism that you're using for
that?
Does it require long key links?
Does it require large passwords?
What does that maintain?
Is there specific algorithms ithas to use and so forth?
That would be the standard.
Then a procedure would be aroundprocessing wire transfers.
What are the steps to avoid BECtype situations?
(40:24):
These are the steps you got toverify.
I call Bill, bill calls Fred,fred calls George and they all
have to agree through DocuSignthat we're going to send a wire
transfer.
That would be a procedure andthat would be done specifically
for dealing with high valuetransactions Guidelines.
This would be like a secureremote access for employees.
If you're using a VPNs or anysort of type of authentication
(40:47):
that's coming into your company.
These are some guidelines onhow to use them.
Here's how your endpointsecurity works for your company.
All of those kinds of pieceswould be in a guideline Again
policy standards, procedures andguidelines.
This is just using a couplesnippets.
It's not all be all, but itgives you an idea of what you're
trying to accomplish when itcomes to these various pieces of
(41:08):
this documentation.
So now some other items toconsider Again.
Consider security minimums,which you kind of talked about
again at the beginning.
What are your cybersecurityminimums?
These can be very specific fordatabases, servers and so forth.
You may have a minimumexpectation set up for servers,
minimum expectations fordesktops.
That could be a part of thisoverall standards process and
(41:30):
you may want to document that.
I would highly recommend youdocument that within your
overall program.
Again, policy standards andcontrols are expected to be
published for anyone within thecompany.
So your policies, yourstandards and your controls are
based in.
Your standards are designed sothat anybody who reads it can
have an understanding around it.
(41:50):
You want to be clear.
So if it's for anybody withinthe company, the verbiage needs
to be very focused on whatyou're trying to accomplish and
avoid acronyms at all costs.
Essentially managed bypotentially a GRC or IRM
platform.
What does that mean?
You may have a governance, riskand compliance platform that
all your data is stored into andif you want to get the document
(42:13):
out, you publish it and thenyou may check it out type of
thing.
They're typically published,maybe potentially as a PDF, in
that format.
That's a good place to storethem in your GRC platform versus
on a webpage.
That's again for your policies,procedures and so forth.
If you can get procedures inthere, I would recommend it.
That's again for your policies,procedures and so forth.
If you can't get procedures inthere, I would recommend it.
But again, central location ofsome kind is really, really
(42:35):
important.
If you have to have twolocations because your
procedures they won't allow youto put it in there, then just
limit it to two.
All my document stuff for mycompany is in one and all my
checklists are in another.
That's fine too, but it justneeds to be well known by
everybody in the organization.
Some things to avoid.
Again, one document that coversall cybersecurity aspects of
(42:55):
business.
I have a policy, a standard, aprocedure all in one document.
Yeah, don't do that.
That would be a bad idea.
Blending high-level policieswith others, such as procedures,
can cause confusion.
And again, you're going.
Well, I just have documents forthe sake of documents.
You are correct, you have a lotof documents, but you've got to
put it down because we as humanbeings need something like that
.
You need to be able to step itthrough, step by step by step.
(43:17):
Provide all documentations toeveryone.
Everyone within yourorganization needs to have
access to these documents.
Specifically Now, proceduredocuments may or may not be
available.
You may have a set ofprocedures that you want to push
out to everybody so everybodycan see them, but you have your
(43:38):
super secret hidden menu itemsoff to the side.
I'm kind of torn on this wholething.
I've seen organizations thathave done that.
Personally, if everybody in theorganization needs to know how
you configure your spam filter,I don't think they need to.
I think that's a very specificthing for you and I don't think
it needs to be published byeverybody your standards, your
control objectives, your policy.
Yes, most definitely Playbooks.
(43:58):
That depends on theorganization, but there might be
situations where, if you'regoing to do that, where some
playbooks or procedures can beout there for everybody to see,
then you need to keep everythingin one location.
So, as an example, you wouldn'thave one within a GRC platform,
one within a SharePointplatform that's open to
everybody and another one withinanother SharePoint that is
(44:21):
limited.
I would consolidate that.
Take that down to two insteadof three.
So something to consider inthat regard.
Defining documents to be auditready thus is not a useful
document, okay.
So this is the problem.
Right, I made this document andit's got all the right language
in it.
It's audit ready.
If they audit it, it's gonnalook amazing, they're gonna pass
(44:42):
me.
It's not useful.
Okay, that is just not useful.
Auditors are people just likeyou.
Be concise, be clear, tell themwhat you're trying to
accomplish and make it adocument that people will
reference and use, becauseotherwise you're just making
work for yourself and whatyou're doing is you're trying to
put something out there to gowell, hey, if I do this, I'll
keep the auditors away.
No, that is not the approachwith this.
(45:04):
This will not work.
If you do that, I mean it'llwork for a period of time, but
then something's going to happenand you're going to go.
I wish I didn't do that.
So you need to just go from thebeginning, rip the band-aid off
and do it the way you should doit, and then you don't have to
worry about it.
Cookie cutter approach withdocumentation on policies,
control objectives, etc.
Okay, so I say that and thatthey need to be the.
(45:25):
The documentation needs to flow, it needs to be consistent, but
you don't just go copy paste,copy paste.
I've seen it where people havehad documentation and they pull
it right out of the NISTcybersecurity framework and they
put their control objective inthere exactly how it would read
within the framework, and itdoesn't really help and what
ends up happening is peopledon't really even understand
what that word means.
They don't understand what thecontrol objective means.
(45:46):
You have to take these controlobjectives that are out of NIST
or out of the frameworks thatyou deal with and put them in
your standards and word them ina way that meets what you're
trying to accomplish, so thatpeople can read it and go oh
yeah, that makes total sense,versus going MFA, tied to the
fourth power, tied to this, tiedto that is for only smart
(46:07):
people who really can understandthis sentence.
Then you're going oh, that'snot a really good control
objective because people like mewould go I have no clue what
you're talking about.
So an important piece of thatyou need to make sure that you
understand what you're trying toconvey.
These are some of theframeworks.
Again, you have the NISTcybersecurity framework, cri
800-171, 853, 27002 for ISO Allof those are available.
(46:30):
You can get all that stuffonline.
You can get access to it.
I highly recommend if you'regoing to be in security.
Yes, you got to read this stuff.
It's boring, it'll put you tosleep at night, but it's very,
very important that youunderstand it, because you will
be held accountable to it andyou're also taking your CISSP
test.
Ah, guess what?
It's probably going to be onthe test in some form or fashion
(46:50):
.
So understanding it is going tobe an important part of what
you're doing.
Okay, that is all I have foryou today.
And again, I'm excited to seeCISSP Cyber Training.
You need to go to CISSP CyberTraining.
You need to check it out.
It's all there and availablefor you.
I've got a mentorship program.
I've got just.
You can get access just to thedocument, all of my test
(47:10):
questions.
You can get access to all mycontent, my videos.
All of this stuff is available.
You can read and study it forit on your own.
So, again, cissp Cyber Trainingis designed for the self-study
person.
This is designed specificallyfor you that are wanting to take
the CISSP but you don't want tospend $15,000 on going to a
training program and you have tospend $15,000 on going to a
(47:32):
training program and you havemaybe don't have the time to do
that.
This is designed specificallyto give you that benefit and I
don't charge a lot for my videosbecause I want you to have the
access and have it available toyou.
However, you've got to put thetime and the effort into it.
You've got to focus on studyingfor this exam.
I wish I would have had myblueprint that I've created
specifically for CISSP cybertraining, and I wish I would
have had it, because I wentthrough and studied the book
(47:53):
from beginning to end, writingnotes, doing all of those things
over and over and over and over, trying to understand what the
heck I'm trying to get here, andI still failed the test.
I didn't have this level ofknowledge.
I didn't have someone teachingme this.
This is 20 plus years ofsecurity experience that I'm
(48:16):
trying to give you that willhelp you pass the CISSP.
I deal with CISSP stuff on adaily basis, every bit of domain
aid.
I'm dealing with it all thetime, every single day.
This is stuff that you can useto help you pass the test the
first time, and if it's not thefirst time, that's okay too.
It'll help you pass the darntest, because that's what it's
about.
You need to get the test so youcan move on and enhance your
cyber career and help protectall these people that are being
taken advantage of by thesecybersecurity nut jobs Not
(48:37):
cybersecurity the stealer people, the people that are stealing
your stuff right, those guys,they're crazy, they're stealing
stuff.
You need you to help them.
All right, beat that drum todeath.
See, my third grade educationdid come out right there.
You saw it.
All right, have a wonderful dayand
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com