June 30, 2025 • 38 mins
Effective data classification isn't just about regulatory compliance—it's the foundation of your entire security program. Whether you're preparing for the CISSP exam or leading security initiatives at your organization, understanding how to identify, categorize, and protect sensitive information is critical to your success.
This episode dives deep into the world of sensitive data management, breaking down the fundamental frameworks and approaches you need to master. Data classification might seem deceptively simple on the surface, but implementing it effectively requires navigating complex regulatory environments, understanding technical controls, and driving cultural change within your organization.
We begin by exploring what constitutes sensitive data across different industries—from financial institutions prioritizing monetary data to healthcare organizations safeguarding patient information. You'll learn about key regulatory frameworks like GDPR and HIPAA, their specific requirements, and the substantial penalties for non-compliance. The episode provides a practical breakdown of classification schemes in both government and private sectors, with actionable advice on simplifying these systems to improve employee compliance.
Most importantly, we address the critical human element of data protection. Without clear ownership and responsibility, sensitive information falls victim to the "tragedy of the commons"—accessible to everyone but protected by no one. The episode outlines strategies for assigning data ownership and implementing controls throughout the entire information lifecycle, from creation through disposal.
Along the way, we examine an emerging privacy concern with Microsoft's Copilot "recall" feature that captures screenshots of everything you do on your computer. This real-world example perfectly illustrates the constant tension between innovation and privacy that security professionals must navigate daily.
Whether you're just starting your security journey or looking to refine your approach as a seasoned professional, this episode provides the practical knowledge you need to build robust data protection strategies that balance security requirements with business needs. Subscribe now to continue building your cybersecurity expertise and prepare for the challenges of tomorrow's threat landscape.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:24):
Let's go.
Cybersecurity knowledge.
All right, let's get started.
Hey y'all, sean Gerber, withCISSP Cyber Training, and hope
you all are having a great daytoday.
Today is Memorial Day.
Here in the great countryUnited States we have Memorial
Day to honor those that havefallen in the past previous wars
for this country, so it's alittle bit especially true to me
.
I've had some really greatfriends that have passed on that
were part of many differentconflicts, from World War II all
(00:47):
the way up to the present day,so it's kind of a little bit of
a bittersweet time, but it'sactually also a time when in the
United States, we have a littlebit of a respite and so there
is some break between having towork so hard.
But not today.
We have the CISSP CyberTraining going on for you today,
so that is a positive right.
So today we're gonna be gettinginto Domain 2.
(01:08):
This is 2.1.1 and we're gonnabe dealing with sensitive data
and data classification.
But before we get started Iwanted one small article that
came up.
I saw today as I was searchingthrough the web on some see
what's new in the news, andMicrosoft Copilot has a recall
feature that I was not aware of,that they have this and I don't
know if it's thing it'sinstilling.
(01:29):
It's going out in limitedresources to people, but an
interesting part around that isit has the ability to recall
everything you did on your pc,which in of itself is a bit
creepy, uh.
So it has, and from a dataprivacy standpoint I think it's
got challenges.
I get why they're doing it, but, yeah, it will be interesting
to see how this plays out andhow many lawsuits will come of
(01:50):
this.
But basically what it does isthere's an article that's on
shared security and I guessthere's a podcast that these
folks have kind of put togetheras it relates to this overall
recall feature.
Now, this is you can watch thepodcast and see what they have
to say about it.
But let's just kind of get intoit from a CISSP standpoint, what
this thing does.
(02:10):
And there's actually an X feedthat you can go watch that will
talk about kind of the synopsisof how it works.
But more or less it is takingscreenshots of everything you do
inside your computer, so it'slocal on your system and it's
allowing that the co-pilotproduct to then scan it all, and
(02:31):
both from a text-based and froma visual jpeg type base and
then it able to categorize that,and so then when you do a
search on your pc, you'll beable to pull up in.
In this case, the young lady onthe video talks about a brown
leather bag, and she just typesin brown leather bag and it
finds all that search contentthat she had on her device, all
(02:52):
of the content period that istied to a brown leather bag.
So what it'll more or less dois it categorizes everything on
your system.
Now there's pros and cons ofthat right.
I mean the pros are the factthat it gives you much better
granularity of what's on yoursystem.
From a data protectionstandpoint, it actually could be
very useful as it relates tothe Purview product and data
(03:13):
labels and all of that.
I mean there's a lot of greatbenefits that could come out of
that from a data protectionstandpoint.
The downside of it is it'sscanning everything.
So now how can this be usedagainst you, potentially by
hackers, and that could be bad.
The ability of it, now thatMicrosoft you are trusting
Microsoft to scan everythingthat goes on your computer and
it stays local how do weguarantee that that stuff
(03:36):
doesn't get out to somebody else?
So heaven forbid, you go watchthe Fuzzy Kitten Show and all of
a sudden it's takingscreenshots of the Fuzzy Kitten
Show and now you have to dealwith that and that gets leaked,
and now all of the dog activistsare very upset at you because
you watched the fuzzy kittenshow right.
So I mean, all that stuff couldbe very bad.
(03:56):
It could be manipulated in away that is super bad.
So we'll see how this plays out.
But this is more of thegenerative AI pieces that are
coming in.
I will admit I love AI.
In some respects it's veryhelpful.
It's very useful.
I've had plenty of meetingswhere I would record the
conversation in the meeting.
Everybody knows they're beingrecorded and it would give you a
(04:16):
detailed list of what'sactually occurred and it'll give
you tasks.
I mean, it's awesome, very goodproductive tool, but on the
flip side, you throw it in thisdirection.
Yeah, it could get ugly reallyquick.
So something for you all asCISSP people that want to
understand the future from asenior leadership standpoint.
Those are some concepts you'regoing to have to be aware of.
You're going to have to workwith your legal and compliance
(04:38):
folks to make sure they'realigned, and you're going to
have to probably do a lot ofeducation with them on what are
the controls you have in placeto minimize some of the risks
that are being encountered bythis product?
So great, it has options, lookscool, but we'll see how it
plays out.
Okay, let us roll into ourpodcast today around defining
sensitive data and dataclassification.
(05:00):
Okay, so we're going to begetting into data classification
concepts that are associatedwith the CISSP and asset
security domain, which is domaintwo.
So as we get into this, we'llstart off.
There's some terms that you allhave probably been dealt with.
There's also some terms thatwill come up that you haven't
probably encountered during yourtime, as in security.
So we're going to kind of gothrough all of those and then go
(05:21):
with the assumption that someof this may be a little bit more
basic for others, but others itmay be introductory, they may
learn it, and so let's just kindof hang on and see what we come
up with.
So we're going to talk aboutdefining sensitive data.
When you're dealing with assetsecurity, as it relates to
domains domain two you are goingto have to ensure that you have
some level of defining andunderstanding what is considered
(05:44):
sensitive within your company,and that will vary from company
to company.
If you're in a banking industry, that's financial data.
If you're dealing with themedical industry, obviously it
would be data tied to theindividual, plus maybe health
records.
If you're dealing in themanufacturing space, it could be
intellectual property that issensitive to that company.
So it varies from company tocompany.
(06:06):
But in the end of the day,there's some basic broke
breaking broke down.
I can't, I can't even speak.
Some broke yeah, that it's real, let's break it down.
Let's break it down, let's do alittle bebop.
No, sorry, sorry, my ADD kickedin.
So we're dealing with PII.
So PII is any information thatcan be used to identify an
individual, either alone or whencombined with other data.
(06:27):
And PII I've talked to somecompliance folks and they say
well, that's an older term, pii,and it is, but it could just be
PI.
Some people go just personalinformation.
Bottom line is PII.
Pi it's anything that's tied toyou, such as social security
numbers, driver's license,passport numbers, credit card
numbers, etc.
Medical records.
(06:48):
You got it.
That's all tied to you.
Now there's regulations thathelp pull all this together and
they're globally.
So I'm just giving you two, butthere's all kinds.
You pretty much go to anycountry.
They're going to have somelevel of regulation against this
, or about understanding andprotecting of what PII data is,
and that would be the GDPR.
(07:09):
Obviously, we talk about thatbecause that's one of the big
big dogs on the block, becauseone of the reasons is it's been
around for so long, and also,two, the fact that the charges
or the expense if you don'tmaintain those systems or don't
protect that data, you can befined substantially, especially
if you're a global organization.
It's like 4% of your GDP oryour global, not GDP, your
(07:32):
global gross profit or not grossprofit, your global gross
income would be 4%.
So if you make a billiondollars, obviously 4% of a
billion is 4% of a gob.
So it's a lot.
It's a lot.
Then there's the CaliforniaConsumer Privacy Act, ccpa.
Obviously, look in the UnitedStates.
Ccpa is probably one of themore restrictive laws around
that and that does have somecontrol over personal
(07:54):
information In the United States.
Just to kind of put it inperspective, if you are studying
for your CISSP and you gethired by a company many law
firms and what you shouldconsider as a CISSP or a CISO is
to consider that if you look atthe most restrictive state that
has the most restrictive aroundPII or any other type of data
(08:15):
and then emulate what they do,you'll probably be pretty safe,
especially if there is a databreach and you have been trying
to follow the controls.
Based on that, you're usuallyat a much better position.
That doesn't mean you're goingto walk off scot-free, but
you're in a much better positionas it relates to the legal
counsel or the legal positionthat you have with your company.
Now, again, I'm not a lawyer,nor do I play one on TV.
(08:36):
However, I would say that thoseare some key things for you to
consider as a CISSP.
As it relates to publicinformation, again, the terms
PII will be synonymous with PIand also with personal
identifiable data or PID.
So PII, pi, pid yes, likefollow the yellow brick road,
(08:58):
okay.
So region-specific terms.
Obviously, in the EU you haveGDPR.
They consider personal data pii, so you're gonna have to.
One thing you have to do as aciso or as a security
professional is you are going tohave to translate what that
means and in some cases, you'regonna have to translate that to
some of your compliance andlegal folks.
Again, it depends on the sizeof your organization.
You may have a very largeorganization and your folks are
(09:21):
on top of it, you don't need toworry about it a whole lot.
But if you get hired on by asmaller company, you may have to
be the person who is actinglike the compliance person as
well as the security person.
So just keep that in the backof your mind.
Canada, it's PIPEDA, which isvery similar to PII, which is
(09:42):
personal information electronicsdocuments.
That's a PIPA.
And then in China, obviously,there's a PIPI.
Yeah, it's the PIPA.
Pipa has that and they alsohave PISS, which is your
personal information securityspecification.
(10:02):
That's an interesting acronym.
I don't know if I'd say thatone out loud, but anyway, that
one is they have all kinds ofstuff and it's the personal
identifiable protection act thatthey also have in china.
Bottom line is you just need tounderstand it.
You probably won't see many ofthese other countries that are
on the cissp.
I'm saying probably doesn'tmean you won't, but but they'll
(10:22):
probably focus to be moreUS-based specific when it
relates to those.
So just keep that in the backof your mind.
Government-specificclassifications Some governments
have additional classificationsas it relates to, like.
In the United States, theSocial Security Administration
has specific classification forSocial Security numbers due to
their high risk and identitytheft.
So, like I mentioned before,you're going to have to keep in
(10:47):
mind that they will differ fromcountry to country.
Just know, if you understandthe whole PI concept the
personal identifiableinformation, then our personal
information then that puts youoff in a good position.
Now, in the United States, wehave a thing called protected
health information, or PHI.
Now this ties into what we callHIPAA, h-i-p-a-a.
(11:08):
Now, if you've seen some of mycourses and you go, oh, you
didn't spell that right.
Yeah, you're right.
A couple of people called meout on it.
They're like yeah, dude, it'snot a HIPAA.
I'm like I get it.
Okay, all right, I made amistake.
It's not two P's and it's justtwo A's, so it's HIPAA, not
HIPPA.
See, I goofed that up.
So the Health InsurancePortability Accountability Act,
(11:34):
and that is what came in placeto help protect health records,
and there are fines associatedwith the PHIs.
There's so many acronyms youcan't keep them straight, and so
the point of it is, though, iswhen you're dealing with any
sort of PHI data, you need tomake sure you protect it.
If you treat all the data thesame, as it relates to PHI, pii,
all of that, you're going to bein a much, you're going to be
in a really good place.
You really are.
There's also some frameworksthat will help you with the
(11:57):
HIPAA legislation, that kind ofhelp, the controls that you want
to put in place to protect PHIdata.
Now, the types of data would bemedical history, treatment
plans, billing information,genetic information, you name it
.
Anything that ties you back tothe health records of an
individual is consideredprotected data, and so,
therefore, you have to put incontrols enough to protect this
(12:19):
health data.
Now, this is where, also,auditors will come in and they
will check you to make sureyou're doing it correctly, and I
will tell you that the betteryou, the better knowledge you
have on this and how thecontrols you have in place to
protect the specific regulation,regulated data.
When the auditors come in andI've been audited multiple times
and they will start asking youquestions.
(12:41):
It's like in any test.
It's like when you take theCISSP, that CAT test.
You know it's the computeraided testing situation.
If you are on top of your gameand you can knock out the
questions when they come up,you'll be done in a hundred
questions.
You're done.
You walk home, bada boom, badabing, you're out of there.
However, if you flounder andyou have some challenges with
(13:05):
those tests, the CISSP is goingto keep digging deeper and
deeper and deeper to figure outwhat you don't know.
Well, same thing with theauditors If you can't answer
their questions, well, they'regoing to start digging deeper
and then they realize wait aminute, you don't have this in
place.
Why are you not doing this?
So it's imperative that youunderstand the regulations as
well as the controls that youare putting in place to manage
the risk of these regulations.
(13:27):
Okay, so I'm going to go into acouple of controls as it relates
to HIPAA data, just to kind ofput it in some perspective of
what you're dealing with.
And these HIPAA the safeguardsare designed to protect your PHI
data, which again accesscontrols, encryption, audit
trails and so forth.
So I'm going to get intoadministrative, physical and
technical controls, and theseare just a broad brush.
I'm not going to go into allthe gory details of all of them,
(13:49):
I'm just going to kind of touchthe highlights so you
understand this.
So, when you're dealing withadministrative controls, what
are some administrative controlsyou have in place as it relates
to your PHI?
One of the things is do youhave a compliance training
program in place that you'reeducating your workforce based
on the regulations and theproper handling of PHI?
Again, are you followingthrough and teaching your people
(14:12):
how to protect it?
Now, if your people do boneheadthings and they send protected
information outbound tosomeplace else but you've
trained them, you've taught them, they've signed off on it it
now gets to a position where youhave some sort of protection
against fines and so forth.
Again, not legal advice, I'mjust saying giving you some
(14:33):
guidance around this.
The other one is data accesscontrols.
Do you have a need to knowprinciple based on your data and
the fact that, okay, sean, Iwork for a company right now as
a contractor, do I have need toknow to look at X, y and Z data?
No, I don't.
So they have a policy in placethat says Sean should not look
at that data.
That's great.
(14:53):
You now meet the needs of whatthe auditors are asking, and
you've put in place controls tohelp protect the data.
The bottom line, though, is evenhave a piece of paper.
Are you actually followingthrough and doing that as well?
So just that's an importantfact.
Now you'll have riskassessments and management plans
.
Are you regularly identifyingpotential risks and PHI to
(15:16):
implement plans to mitigatethose risks.
So, are you doing an assessment?
Are you checking things out tomake sure that you're doing it
right?
I would recommend you may have,depending on your auditors, an
annual assessment.
That has to occur.
Do you have a mitigation andmanagement plan when you find
things?
Those are just again, basics,right, but if you do the basics
well, you'll be in a much betterposition, especially when
(15:36):
you're dealing with oneprotecting your people's data as
well as making sure that theauditors are happy with you.
The other one is incidentresponse plan.
So do you have an incidentresponse plan in place to help
with security breaches and thelike?
Again, that's an important parttoo, because so often I see it
where people will give this lipservice and say, yeah, yeah,
(15:58):
we're good, something happens,we're good.
Well, but if you don't have aplan and you haven't exercised
your plan, you are not good.
Don't fool yourself.
You are not good and you willget burned and you will wish you
had done the plan.
Because it's a pain.
I guarantee it and I give it.
I get it to you, man.
It is a pain in the butt to doan assessment and to turn around
and do an exercise.
(16:18):
It's not easy, and if you hiresomebody from the outside like
myself, because I'm happy tocome help you, if you come, do
that, you are going to end up.
It takes money, but, boy, ifyou don't do it, you will wish
you did and it'll be the bestmoney you ever spent in the
event that there's a bad thinghappening.
So just keep that in mind.
Media disposal do you have?
(16:39):
Okay, now we'll get intophysical controls.
You have secure facilities.
You've got to maintain physicalsecurity measures to protect
your PHI data, as well asimportant factors around that.
It could involve access controlsystems, security cameras and
locked storage cabinets.
I've done multiple tests andmultiple assessments of
facilities and I've had to gothrough and go.
(17:01):
Why is that sitting out?
We have a clean desk policy,but yet you're not following it.
Those are pieces that you woulddo from a secure facility
standpoint and you'll have yoursecurity cameras.
Are they on a separate network?
Can I gain access to thisnetwork?
Who has access to this network?
All of those factors are animportant piece when you're
dealing with physical controls.
Media disposal you have asecure disposal method for your
(17:25):
PHI-containing media, such asshredding paper documents,
securely wiping electronicstorage devices, etc.
Etc.
Do you have that built in?
Is that something that'savailable for your people?
And again, it's an importantfactor when you're dealing with
physical controls is that all ofthis stuff is documented and
you're following throughTechnical controls.
What are some things of that?
(17:46):
And again, these are just abroad brush, just a small
smattering of what you need toknow.
Technical controls you have.
Encryption you have.
Do you have encryption on thedatabases where the data is
stored?
Is you have it encrypted whileit's in transit?
Now, one thing to consider.
Again, this is something youhave to consider as a security
professional Do you encrypt thetraffic from point A to point B?
(18:07):
Now, ideally, the book answersays well, yes, you should do
that, always.
Encrypt all your traffic, allyour data and on that side.
That's an important factor andI highly recommend that you do
that on some very key systems.
However, you need to reallythink hard about when you do
this, because the moment thatyou encrypt data from point A to
point B, you now make itinvisible for your own people to
(18:30):
see if there's data that'sleaving the organization.
So you want to have a reallygood architectural plan on how
you're going to monitor the dataleaving your organization to
see if there's any sort of datathat could be potentially being
exposed.
And the moment you encrypteverything, you now have to
figure out okay, now I have todecrypt it to be able to see
what's inside it.
So there's a lot of stuff thatgoes into that.
(18:52):
That's really important.
So, again, I think it'ssomething to consider that
internal network traffic I'm nota big fan of encrypting at all
because I would like to havevisibility.
There might be some areas whereyou would want it all encrypted
so that no one could ever sniffit again.
You need to think about thatand know the pros and the cons
before you do that.
Audit trails you need to have asystem of trails and audit
(19:15):
trails in place that understandyour log access, to include PHI
for monitoring andaccountability purposes.
Now, when you're dealing withthe auditing, you need to
consider how long do you keepthis logs for your auditing
methods?
Which logs should you keep?
That has a whole bunch of hairon it because you're going to
have to deal with how.
The logs are not cheap, they'revery expensive, they're not
(19:38):
inexpensive, and so therefore,for you to store them for any
significant period of time, itwill cost you a lot of money.
So you really got to be veryjudicious on which logs you want
to protect, which logs you wantto keep, which logs you're
required to keep, based onpotential regulatory
requirements.
You may have Firewalls,intrusion detection prevention
systems obviously you want tohave those in place.
(19:59):
Firewalls, intrusion detectionprevention systems obviously you
want to have those in place.
Depending upon if they'revirtual or physical boxes.
You just need to decide whichone is best for you.
A lot of times this stuff isbuilt into these new, really
Gucci firewalls, so you'll haveto decide what is the best
architectural layout for yourcompany.
But those are things you'llneed to consider.
And then DLP having some sort ofdata loss prevention program in
(20:21):
place.
This would include sharing ofPHI data via email, usb drives
and other methods.
Again, that is also a hairybeast.
There's a lot that goes intothat.
I also provide DLP services forcompanies if they are listening
and they want that.
I have to throw outadvertisements for me, because I
don't put any ads on this thingfor anybody else.
So if you are interested in asecurity professional, please
(20:41):
come, stop by and visit mywebsite and I will be happy to
help you.
So sorry, I'm in a differentspace now I have to kind of do
that.
So data loss preventionimportant factor you need to
really consider that for yourcompany and, again, depends on
your data.
You may not if you're just amanufacturing company I said
just, I don't mean it that waybut if you're just manufacturing
(21:01):
widgets and you may not need alot of this stuff as it relates
to that, except for the PHI dataand understanding employee data
and customer data.
The other thing you got tothink about is reputational.
If, for some reason, you have asmall business and your
business gets hacked, well nowif all your data gets out, how
does that affect your reputation?
(21:22):
That could be expensive,especially since people are very
watched.
They've watched very closely toGoogle type stuff, so there's
something really to understandthere.
Additional considerations youneed to think about is your
business associate agreements,baas.
These are required coveredentities such as healthcare
providers and health plans.
They will have to have BAAs inplace that people that handle
(21:44):
PHI on their behalf.
And then patient rights.
You need to have a patientrights specifically to
understanding PHI right, medicalrecords and so forth.
We talk about proprietary data alot.
I've got a really long historyin proprietary data and
protecting it, but understandit's the same concept.
When you're dealing with PHI,what data is sensitive, what
(22:04):
data needs to be protected, andyou need to consider that for
your organization.
Some examples obviouslyproprietary data.
You've got your financialinformation, mergers and
acquisitions, customer lists,marketing plans, r&d All of
those things need to beconsidered as your sensitive
data.
But you can basically transposePHI and IP as the same type of
product.
(22:24):
You want to protect them inmany of the similar ways.
There may be a few more thatyou have to do with PHI type
data than you would with IP,because when you're dealing with
PHI as such a large group ofpeople, such a large group of
data, because everybody has somesort of health information,
whereas IP data is usually amuch smaller subset and not
(22:45):
everybody should have access toit at all.
So you just need to kind ofwork through that and figure out
what's best for you and yourcompany.
Some other protection mechanismsand I will say this really
isn't a protection mechanism andpeople that I've talked to that
are in this world have madethis comment to me that an NDA,
a nondisclosure agreement, yeah,those are only as good as the
paper they're written on.
(23:06):
Now I say that against somelegal people who come back and
beat me over the head with a wetnoodle and say no, that's not
true.
And it's true.
I mean, yes, you can use theNDA as a way to put fear in
people's mind that you're goingto come after them, and if
you're a corporation that hasdeep pockets, especially, you
can go after them, no doubtabout it.
But the bottom line is, if thedata is already left, the NDA
(23:30):
doesn't stop the data fromleaving.
It just is a mechanism to beable to basically scare them and
come back after them.
And so I'm saying that, as I'vesigned NDAs and I will honor
them, right, but that doesn'tstop the data from leaving.
It's more or less anadministrative control.
Now you also have your DLPsolutions that are in place that
(23:50):
can block data from leaving.
They can also put timers on thedata so that when it gets sent
out, it's going to get deleted.
Just know that data is going toleave your organization.
You just have to decide whichdata do you want to leave, or
which data are you willing tolet leave, and which data are
you not wanting to leave at all?
Now we're dealing with dataclassification schemes.
This is where there's variousones that are in place.
(24:11):
You have a government side andyou have a private sector side.
Now, the governmental side I'mjust going to use this from a
US-based focus.
Each country has their own, butfrom a US-based, you have top
secret, secret, confidential,sensitive, but classified and
unclassified.
Now, each of these has adifferent bucket, different
genre.
Top secret obviously everybodyknows that's where you have the
(24:33):
two keys and the nuclear weapons.
That's top secret.
Lived in that world.
They do not play games.
You say something you shouldn'tsay, you get.
Potentially you get let go ifyou're lucky.
If not, you get sent toLeavenworth and break big rocks
into little rocks.
So you don't mess with topsecret.
I mean you don't mess with anyof them.
But secret and top secret youdefinitely don't mess with.
They have bad ramificationsthat go with it.
(24:56):
They're very, very seriousabout that.
So what top secret comes into isit is exceptionally grave
damage to national security.
Secret is where it's seriousdamage to national security.
So understand those terms.
You're going to have to knowthat for the CISSP it's grave
and serious.
Those are key terms that you'llsee.
Confidential, it could causeserious damage to national
security.
And then you have sensitive butunclassified data.
(25:18):
This is where it's sensitive,but it's not formally classified
as a secret, top secret orconfidential.
And then you have unclassified,which basically is no harm.
Now, as I break that down,grave, serious, um, what a
sensitive data is all right, welost it.
See, I'm reading all this and Ican forget.
Yeah, so you have seriousdamage and security, serious
damage and security withdiplomatic means.
(25:40):
Each of these different areasthat are broken out.
You need to understand whatthey're asking for in the
question for the CISSP.
Also, know that each countrythat you talk about has
something very similar.
Some will have the languagewill be very ideal, will be
identical, almost in some cases,grave, serious, but they may
(26:01):
change it just a little bit.
I know China changes it alittle bit, but it's very
similar wording.
Just know that.
That is the governmentclassifications.
When you're dealing with commonclassifications in the private
sector, that is where you dealwith confidential, private,
sensitive and public.
Now, this does not mean thatthey're all going to be this way
.
Your company may come up with A, b, c and D and you go A is our
(26:25):
confidential, b is our private,c is our sensitive and D is
public.
You may do that.
You may get this verycomplicated lettering system.
I wouldn't recommend it at all.
It'll confuse the dickens outof people.
But if you're going to havesome sort of common
classification you need to makesure that that's defined, people
are trained and that people areheld to that standard.
(26:47):
So confidential obviously issensitive data critical to the
organization's success right,financial loss, reputation,
legal issues.
That's confidential.
Private is basically forinternal only use and it could
be impacted if disclosedpublicly.
I personally would not useprivate for anything.
I would either keep it simple.
Okay, if you guys are going tomake this for your CISO, make
(27:08):
this as simple as possible foryour people, because the more
complex you make it they willgoof it up, they'll mess it up
and it will go sideways.
So if you're going to do allthis, you just say confidential
and public two things.
If you know if it'sconfidential, it fits in this
bucket.
If it's public, it can beanything else.
If you're going to do thispiece Again, you will have to
(27:31):
figure that out for your company, what your CEO or your owner
wants to do.
But know that.
Keep it as simple as possible.
Sensitive is it's classifiedcompared to public.
Data requires some level ofprotection, ie marketing
campaigns, internal trainingmaterials, etc.
Public is freely available.
Minimal harm from disclosurebasically emails and so forth
that you would consider, eh, nota big deal.
(27:52):
Again, I would recommend ifyou're going to do data
classification in a privatesector, keep it simple, common,
confidential and public.
Okay.
So now we're just going to dodata classification in the
private sector.
Keep it simple, common,confidential and public.
Okay.
So now we're just going toquickly roll into this one last
thing as it comes down toclassification impact under the
class system.
I know air quotes class.
If you go to CISSP CyberTraining, I'll have this video
(28:14):
out there.
You can watch the video YouTube.
It'll be on YouTube as well.
You also can go toreducecyberriskcom and check out
my consulting website.
And if you're ever interestedin some training or need some
sort of consulting done from acybersecurity standpoint, I can
help you.
I can.
I've done pretty much most all,not all, not all, definitely
not all, but I've done a lot inthe cybersecurity space that can
(28:34):
provide you a lot of value foryou and your company.
If you're listening to this,okay, now impact levels.
You got class zero to classthree.
What exactly are those?
So these are.
It's basically a conceptualunderstanding of this.
I mean, you'll see this in thebook, the ISEE Square book, and
they've got like this pyramidand they are class zero to class
three.
Now class zero starts at thebottom.
(28:56):
It's the biggest bucket and youcan really break this down into
the same thing as class zerowould be public information.
But class zero is data withminimal disruption if
compromised, publicly availablemarketing materials, et cetera.
So this is class zero.
This is open to the public.
Class one this is data thatcould cause moderate disruption
to business or businessprocesses.
(29:17):
This would also be somethingsimilar to your sensitive data.
So you got class zero is yourbase.
That's public.
Class one is sensitive.
Class two is data with a highimpact on mission or business
processes if compromised, iecustomer financial data, which
would be very similar to yourprivate data if you had that.
And then class three would bedata with severe impact
(29:40):
potential to organizationalfailure if compromised.
Now this would be very similarto what you deal with your
confidential data.
So, again, all we're doing isjust modifying words, but
realistically, you want it.
If you're going to deal withdata classification within your
organization or you see it onthe CISSP exam, there's
(30:01):
different types.
The class zero, like I said, isyour public, class one is your
sensitive, class three is yourprivate or class two is your
private.
Class three is your most secureor most sensitive and that's
your confidential.
You can flip that into beingthe same thing, for when you're
dealing with the classifiedaspect of this.
You could go sensitive butunclassified is your class zero,
(30:24):
your confidential is class one,your secret is class two and
then your top secret is classthree.
They're just doing thedifferent classes so that it
gives you different options tounderstand for your company and
as a security professional,which one would be best for you
and your organization, becauseyou're going to have to figure
(30:45):
out, related to your company,what will your employees
understand and deal with this?
Actually, I lied to you.
I lied.
I have a couple other littlethings I'm just going to quickly
go over as we have just alittle bit more time.
So, some additionalconsiderations as you're dealing
with the data.
One thing to deal with as itrelates to the data is your data
ownership and responsibility.
(31:06):
Now, this is an importantfactor is what you need to
understand what happens to thedata, who owns the data and who
is responsible for the data.
Now, if you don't define whothese people are at the
beginning.
You need to really put this inthe back of your mind, that it
has to be done at some point,and I would highly recommend, as
you're going through all theseclassifications, you'd also
(31:26):
start picking out owners toensure that the data is
protected, and then you have avery strict, very defined rules,
responsibilities andexpectations for that management
of the data.
I mean this in the fact that,if it's a I was at Coke
Industries, you know Charles andDavid Coke.
They have some really goodprinciples, some really good
stuff.
Actually, I took out of that,which was awesome.
(31:49):
One of the things that came outof it that was important is that
it's called tragedy of thecommons.
If you don't have an owner for,like, let's just say, your
watering hole where everybodygoes to get coffee and so forth,
your watering hole whereeverybody goes to get coffee and
so forth If there's nobody thatowns it, no one will take care
of it.
The same thing goes with yourdata.
If no one owns the data, if noone's actually defined hey, sean
, you own X, it's your baby, youprotect it and that way I am
(32:17):
responsible for it.
If you don't do that, thennobody owns it, and so then it's
very easy for the data to juststart getting pilfered and sent
everywhere.
So it's important that you dodefine ownership and the
responsibility.
This could be department heads,it personnel, project
management whoever doesn'tmatter.
All that matters is that youpick the right person who will
manage and protect the data, andI would also recommend you pick
a rabid dog, someone who isvery on top of things, to own
(32:39):
the data, because they'll makesure that you need to understand
.
When you're creating this, thedata, you need to have kind of a
path in place.
When you're dealing with thesecurity controls, you need to
start from creation, storage,use and disposal.
That is the life cycle.
So, the moment it's created,you now classify the data.
(33:01):
Then it's stored.
You know that, hey, it's beenclassified as X, I need to store
it as this way.
How it's used.
You need to decide okay, if Iknow I classified it as X, I
need to store it as this way.
How it's used.
You need to decide okay, if Iknow I classified it as X as
it's being used, these are thepeople that can use it.
This is the data in transitneeds to be protected or not,
depending upon your situationand then disposal.
(33:22):
What happens at the end of this?
Do you do data wiping?
Do you physical destruct thedevices, the hard drives,
whatever that is.
So those are different securitycontrols.
You physically destruct thedevices, the hard drives,
whatever that is.
So those are different securitycontrols you have from creation
, storage, use and disposal.
Then there's an emphasis onsecuring the data at rest.
Again, we kind of talked abouthow data at rest in transit and
in use.
Now I'll be honest.
Well, I'm not being honest.
(33:43):
I'm being honest.
You know what I really hate itwhen I say that because it's
really being honest.
I'm being honest Because if Isay I hate it, you know what I
really.
I hate it when I say thatBecause it's really not true.
So if you say I'm being honest,Well, that means there's times
in my life when I'm not beinghonest.
I'm sure there probably are.
But anyway, to digress, whenyou're talking about data at
(34:03):
rest, it's very rarely is itever at rest.
I there and wait for someone totouch it.
It's usually getting pulled andpinged by somebody, some
application, at some point intime.
So you really want to have data.
Encryption is important, butyou're really putting the data
encryption on that dataspecifically, as if somebody
actually stole it.
That's the real piece, withdata at rest, but it's never
really truly at rest.
(34:23):
Data in transit, obviously,where it's going back and forth
across the wire, and then datain use, when it's being
implemented and used in theapplication itself.
So those are key pieces ofinformation.
Okay, last thing is bestpractices for data
classification.
Again, these are just kind of asynopsis of what we've talked
about today.
Today I went through very fast,very quick, but there's a lot
of great information in here,especially one for the CISSP.
(34:45):
If you think about it, it againyou want to think about the
test as a security professionalwho's been around for a while
that understands security.
So this is what this isdesigned for.
Second thing you also want tounderstand is, if you follow
what I've just said, you'regoing to be in a much better
position for data securitywithin your organization,
wherever that is.
And again, I recommend, go tothe watch, to CISSP Cyber
Training, get the videos, checkthem out.
(35:10):
They will give you a wealth ofinformation outside of the CISSP
.
Just because I've been there,done that, got the t-shirt
trying to pass on someinformation to you, and you just
need to keep that in mind.
So best practices develop a dataclassification policy that
aligns with your organizationalneeds and compliance
requirements.
Again, what does your companywant?
What do the governments require?
Provides clear and concise dataclassification guidelines for
(35:31):
employees.
Again, you got to teach yourpeople, and if you don't teach
them right, they will do itwrong.
I guarantee you, even if you doteach them right, they'll still
do it wrong, but you have aless chance of them doing it
more wrong.
That's a lot of double negativesin there.
You need to train employees ondata classification and
procedures, as well as theirrole in data protection.
Again, it's everybody'sresponsibility for data
(35:52):
protection.
Pass that on to them, make thatinto your culture.
Conduct regular classificationreviews.
Ensure accuracy andeffectiveness.
The bottom line on that is justyou need to do assessments and
make sure that people are doingwhat you tell them to do, and
then make changes based on whatyou find and then implement
automated data classificationtools to assist in the process,
(36:12):
if possible.
Obviously, I'm talking aboutMicrosoft Purview.
It has a way to auto-classify,and auto-classification is a
really good way to classify thedata itself.
That works really well,especially if an organization
has a lot of moving parts.
I'll give you an example where,if you haven't had a data
classification plan forever andyou have data sprawl that's in
(36:35):
all locations within yourcompany an automated data
classification process will workreally, really well for you.
Again, back to the comment wetalked about with the generative
AI and the recall piece ofMicrosoft Teams or Copilot.
I should say that could reallybe awesome for data protection,
but it also is very creepy andcould be scanning everything
(36:57):
under the sun, so you want tokeep that in the back of your
mind as you are going down thispath of data protection.
Okay, that is all I've got foryou today.
Again, go to CISSP's cybertraining.
Go check that out.
Go see what's out there andavailable for you.
Also, go to Reduce Cyber Risk.
Again, sean Gerber, here I'moffering cybersecurity
(37:20):
professional services forcompanies.
I've been doing this for 20plus years.
I've done a lot, from being ared team commander and doing
penetration tests all over theglobe to being a CISO in a very
large multinational that has gotintellectual property and you
name it.
I've dealt with it.
So I would say that it'simportant to protect your
(37:43):
company.
I can provide those servicesfor you, and so I've got to put
a plug out there for me.
Sorry, just got to.
Anyway, have a wonderful dayand you know what?
We will catch you on the flipside, see ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:24):
Let's go.
Cybersecurity knowledge.
All right, let's get started.
Hey y'all, sean Gerber, withCISSP Cyber Training, and hope
you all are having a great daytoday.
Today is Memorial Day.
Here in the great countryUnited States we have Memorial
Day to honor those that havefallen in the past previous wars
for this country, so it's alittle bit especially true to me
.
I've had some really greatfriends that have passed on that
were part of many differentconflicts, from World War II all
(00:47):
the way up to the present day,so it's kind of a little bit of
a bittersweet time, but it'sactually also a time when in the
United States, we have a littlebit of a respite and so there
is some break between having towork so hard.
But not today.
We have the CISSP CyberTraining going on for you today,
so that is a positive right.
So today we're gonna be gettinginto Domain 2.
(01:08):
This is 2.1.1 and we're gonnabe dealing with sensitive data
and data classification.
But before we get started Iwanted one small article that
came up.
I saw today as I was searchingthrough the web on some see
what's new in the news, andMicrosoft Copilot has a recall
feature that I was not aware of,that they have this and I don't
know if it's thing it'sinstilling.
(01:29):
It's going out in limitedresources to people, but an
interesting part around that isit has the ability to recall
everything you did on your pc,which in of itself is a bit
creepy, uh.
So it has, and from a dataprivacy standpoint I think it's
got challenges.
I get why they're doing it, but, yeah, it will be interesting
to see how this plays out andhow many lawsuits will come of
(01:50):
this.
But basically what it does isthere's an article that's on
shared security and I guessthere's a podcast that these
folks have kind of put togetheras it relates to this overall
recall feature.
Now, this is you can watch thepodcast and see what they have
to say about it.
But let's just kind of get intoit from a CISSP standpoint, what
this thing does.
(02:10):
And there's actually an X feedthat you can go watch that will
talk about kind of the synopsisof how it works.
But more or less it is takingscreenshots of everything you do
inside your computer, so it'slocal on your system and it's
allowing that the co-pilotproduct to then scan it all, and
(02:31):
both from a text-based and froma visual jpeg type base and
then it able to categorize that,and so then when you do a
search on your pc, you'll beable to pull up in.
In this case, the young lady onthe video talks about a brown
leather bag, and she just typesin brown leather bag and it
finds all that search contentthat she had on her device, all
(02:52):
of the content period that istied to a brown leather bag.
So what it'll more or less dois it categorizes everything on
your system.
Now there's pros and cons ofthat right.
I mean the pros are the factthat it gives you much better
granularity of what's on yoursystem.
From a data protectionstandpoint, it actually could be
very useful as it relates tothe Purview product and data
(03:13):
labels and all of that.
I mean there's a lot of greatbenefits that could come out of
that from a data protectionstandpoint.
The downside of it is it'sscanning everything.
So now how can this be usedagainst you, potentially by
hackers, and that could be bad.
The ability of it, now thatMicrosoft you are trusting
Microsoft to scan everythingthat goes on your computer and
it stays local how do weguarantee that that stuff
(03:36):
doesn't get out to somebody else?
So heaven forbid, you go watchthe Fuzzy Kitten Show and all of
a sudden it's takingscreenshots of the Fuzzy Kitten
Show and now you have to dealwith that and that gets leaked,
and now all of the dog activistsare very upset at you because
you watched the fuzzy kittenshow right.
So I mean, all that stuff couldbe very bad.
(03:56):
It could be manipulated in away that is super bad.
So we'll see how this plays out.
But this is more of thegenerative AI pieces that are
coming in.
I will admit I love AI.
In some respects it's veryhelpful.
It's very useful.
I've had plenty of meetingswhere I would record the
conversation in the meeting.
Everybody knows they're beingrecorded and it would give you a
(04:16):
detailed list of what'sactually occurred and it'll give
you tasks.
I mean, it's awesome, very goodproductive tool, but on the
flip side, you throw it in thisdirection.
Yeah, it could get ugly reallyquick.
So something for you all asCISSP people that want to
understand the future from asenior leadership standpoint.
Those are some concepts you'regoing to have to be aware of.
You're going to have to workwith your legal and compliance
(04:38):
folks to make sure they'realigned, and you're going to
have to probably do a lot ofeducation with them on what are
the controls you have in placeto minimize some of the risks
that are being encountered bythis product?
So great, it has options, lookscool, but we'll see how it
plays out.
Okay, let us roll into ourpodcast today around defining
sensitive data and dataclassification.
(05:00):
Okay, so we're going to begetting into data classification
concepts that are associatedwith the CISSP and asset
security domain, which is domaintwo.
So as we get into this, we'llstart off.
There's some terms that you allhave probably been dealt with.
There's also some terms thatwill come up that you haven't
probably encountered during yourtime, as in security.
So we're going to kind of gothrough all of those and then go
(05:21):
with the assumption that someof this may be a little bit more
basic for others, but others itmay be introductory, they may
learn it, and so let's just kindof hang on and see what we come
up with.
So we're going to talk aboutdefining sensitive data.
When you're dealing with assetsecurity, as it relates to
domains domain two you are goingto have to ensure that you have
some level of defining andunderstanding what is considered
(05:44):
sensitive within your company,and that will vary from company
to company.
If you're in a banking industry, that's financial data.
If you're dealing with themedical industry, obviously it
would be data tied to theindividual, plus maybe health
records.
If you're dealing in themanufacturing space, it could be
intellectual property that issensitive to that company.
So it varies from company tocompany.
(06:06):
But in the end of the day,there's some basic broke
breaking broke down.
I can't, I can't even speak.
Some broke yeah, that it's real, let's break it down.
Let's break it down, let's do alittle bebop.
No, sorry, sorry, my ADD kickedin.
So we're dealing with PII.
So PII is any information thatcan be used to identify an
individual, either alone or whencombined with other data.
(06:27):
And PII I've talked to somecompliance folks and they say
well, that's an older term, pii,and it is, but it could just be
PI.
Some people go just personalinformation.
Bottom line is PII.
Pi it's anything that's tied toyou, such as social security
numbers, driver's license,passport numbers, credit card
numbers, etc.
Medical records.
(06:48):
You got it.
That's all tied to you.
Now there's regulations thathelp pull all this together and
they're globally.
So I'm just giving you two, butthere's all kinds.
You pretty much go to anycountry.
They're going to have somelevel of regulation against this
, or about understanding andprotecting of what PII data is,
and that would be the GDPR.
(07:09):
Obviously, we talk about thatbecause that's one of the big
big dogs on the block, becauseone of the reasons is it's been
around for so long, and also,two, the fact that the charges
or the expense if you don'tmaintain those systems or don't
protect that data, you can befined substantially, especially
if you're a global organization.
It's like 4% of your GDP oryour global, not GDP, your
(07:32):
global gross profit or not grossprofit, your global gross
income would be 4%.
So if you make a billiondollars, obviously 4% of a
billion is 4% of a gob.
So it's a lot.
It's a lot.
Then there's the CaliforniaConsumer Privacy Act, ccpa.
Obviously, look in the UnitedStates.
Ccpa is probably one of themore restrictive laws around
that and that does have somecontrol over personal
(07:54):
information In the United States.
Just to kind of put it inperspective, if you are studying
for your CISSP and you gethired by a company many law
firms and what you shouldconsider as a CISSP or a CISO is
to consider that if you look atthe most restrictive state that
has the most restrictive aroundPII or any other type of data
(08:15):
and then emulate what they do,you'll probably be pretty safe,
especially if there is a databreach and you have been trying
to follow the controls.
Based on that, you're usuallyat a much better position.
That doesn't mean you're goingto walk off scot-free, but
you're in a much better positionas it relates to the legal
counsel or the legal positionthat you have with your company.
Now, again, I'm not a lawyer,nor do I play one on TV.
(08:36):
However, I would say that thoseare some key things for you to
consider as a CISSP.
As it relates to publicinformation, again, the terms
PII will be synonymous with PIand also with personal
identifiable data or PID.
So PII, pi, pid yes, likefollow the yellow brick road,
(08:58):
okay.
So region-specific terms.
Obviously, in the EU you haveGDPR.
They consider personal data pii, so you're gonna have to.
One thing you have to do as aciso or as a security
professional is you are going tohave to translate what that
means and in some cases, you'regonna have to translate that to
some of your compliance andlegal folks.
Again, it depends on the sizeof your organization.
You may have a very largeorganization and your folks are
(09:21):
on top of it, you don't need toworry about it a whole lot.
But if you get hired on by asmaller company, you may have to
be the person who is actinglike the compliance person as
well as the security person.
So just keep that in the backof your mind.
Canada, it's PIPEDA, which isvery similar to PII, which is
(09:42):
personal information electronicsdocuments.
That's a PIPA.
And then in China, obviously,there's a PIPI.
Yeah, it's the PIPA.
Pipa has that and they alsohave PISS, which is your
personal information securityspecification.
(10:02):
That's an interesting acronym.
I don't know if I'd say thatone out loud, but anyway, that
one is they have all kinds ofstuff and it's the personal
identifiable protection act thatthey also have in china.
Bottom line is you just need tounderstand it.
You probably won't see many ofthese other countries that are
on the cissp.
I'm saying probably doesn'tmean you won't, but but they'll
(10:22):
probably focus to be moreUS-based specific when it
relates to those.
So just keep that in the backof your mind.
Government-specificclassifications Some governments
have additional classificationsas it relates to, like.
In the United States, theSocial Security Administration
has specific classification forSocial Security numbers due to
their high risk and identitytheft.
So, like I mentioned before,you're going to have to keep in
(10:47):
mind that they will differ fromcountry to country.
Just know, if you understandthe whole PI concept the
personal identifiableinformation, then our personal
information then that puts youoff in a good position.
Now, in the United States, wehave a thing called protected
health information, or PHI.
Now this ties into what we callHIPAA, h-i-p-a-a.
(11:08):
Now, if you've seen some of mycourses and you go, oh, you
didn't spell that right.
Yeah, you're right.
A couple of people called meout on it.
They're like yeah, dude, it'snot a HIPAA.
I'm like I get it.
Okay, all right, I made amistake.
It's not two P's and it's justtwo A's, so it's HIPAA, not
HIPPA.
See, I goofed that up.
So the Health InsurancePortability Accountability Act,
(11:34):
and that is what came in placeto help protect health records,
and there are fines associatedwith the PHIs.
There's so many acronyms youcan't keep them straight, and so
the point of it is, though, iswhen you're dealing with any
sort of PHI data, you need tomake sure you protect it.
If you treat all the data thesame, as it relates to PHI, pii,
all of that, you're going to bein a much, you're going to be
in a really good place.
You really are.
There's also some frameworksthat will help you with the
(11:57):
HIPAA legislation, that kind ofhelp, the controls that you want
to put in place to protect PHIdata.
Now, the types of data would bemedical history, treatment
plans, billing information,genetic information, you name it
.
Anything that ties you back tothe health records of an
individual is consideredprotected data, and so,
therefore, you have to put incontrols enough to protect this
(12:19):
health data.
Now, this is where, also,auditors will come in and they
will check you to make sureyou're doing it correctly, and I
will tell you that the betteryou, the better knowledge you
have on this and how thecontrols you have in place to
protect the specific regulation,regulated data.
When the auditors come in andI've been audited multiple times
and they will start asking youquestions.
(12:41):
It's like in any test.
It's like when you take theCISSP, that CAT test.
You know it's the computeraided testing situation.
If you are on top of your gameand you can knock out the
questions when they come up,you'll be done in a hundred
questions.
You're done.
You walk home, bada boom, badabing, you're out of there.
However, if you flounder andyou have some challenges with
(13:05):
those tests, the CISSP is goingto keep digging deeper and
deeper and deeper to figure outwhat you don't know.
Well, same thing with theauditors If you can't answer
their questions, well, they'regoing to start digging deeper
and then they realize wait aminute, you don't have this in
place.
Why are you not doing this?
So it's imperative that youunderstand the regulations as
well as the controls that youare putting in place to manage
the risk of these regulations.
(13:27):
Okay, so I'm going to go into acouple of controls as it relates
to HIPAA data, just to kind ofput it in some perspective of
what you're dealing with.
And these HIPAA the safeguardsare designed to protect your PHI
data, which again accesscontrols, encryption, audit
trails and so forth.
So I'm going to get intoadministrative, physical and
technical controls, and theseare just a broad brush.
I'm not going to go into allthe gory details of all of them,
(13:49):
I'm just going to kind of touchthe highlights so you
understand this.
So, when you're dealing withadministrative controls, what
are some administrative controlsyou have in place as it relates
to your PHI?
One of the things is do youhave a compliance training
program in place that you'reeducating your workforce based
on the regulations and theproper handling of PHI?
Again, are you followingthrough and teaching your people
(14:12):
how to protect it?
Now, if your people do boneheadthings and they send protected
information outbound tosomeplace else but you've
trained them, you've taught them, they've signed off on it it
now gets to a position where youhave some sort of protection
against fines and so forth.
Again, not legal advice, I'mjust saying giving you some
(14:33):
guidance around this.
The other one is data accesscontrols.
Do you have a need to knowprinciple based on your data and
the fact that, okay, sean, Iwork for a company right now as
a contractor, do I have need toknow to look at X, y and Z data?
No, I don't.
So they have a policy in placethat says Sean should not look
at that data.
That's great.
(14:53):
You now meet the needs of whatthe auditors are asking, and
you've put in place controls tohelp protect the data.
The bottom line, though, is evenhave a piece of paper.
Are you actually followingthrough and doing that as well?
So just that's an importantfact.
Now you'll have riskassessments and management plans
.
Are you regularly identifyingpotential risks and PHI to
(15:16):
implement plans to mitigatethose risks.
So, are you doing an assessment?
Are you checking things out tomake sure that you're doing it
right?
I would recommend you may have,depending on your auditors, an
annual assessment.
That has to occur.
Do you have a mitigation andmanagement plan when you find
things?
Those are just again, basics,right, but if you do the basics
well, you'll be in a much betterposition, especially when
(15:36):
you're dealing with oneprotecting your people's data as
well as making sure that theauditors are happy with you.
The other one is incidentresponse plan.
So do you have an incidentresponse plan in place to help
with security breaches and thelike?
Again, that's an important parttoo, because so often I see it
where people will give this lipservice and say, yeah, yeah,
(15:58):
we're good, something happens,we're good.
Well, but if you don't have aplan and you haven't exercised
your plan, you are not good.
Don't fool yourself.
You are not good and you willget burned and you will wish you
had done the plan.
Because it's a pain.
I guarantee it and I give it.
I get it to you, man.
It is a pain in the butt to doan assessment and to turn around
and do an exercise.
(16:18):
It's not easy, and if you hiresomebody from the outside like
myself, because I'm happy tocome help you, if you come, do
that, you are going to end up.
It takes money, but, boy, ifyou don't do it, you will wish
you did and it'll be the bestmoney you ever spent in the
event that there's a bad thinghappening.
So just keep that in mind.
Media disposal do you have?
(16:39):
Okay, now we'll get intophysical controls.
You have secure facilities.
You've got to maintain physicalsecurity measures to protect
your PHI data, as well asimportant factors around that.
It could involve access controlsystems, security cameras and
locked storage cabinets.
I've done multiple tests andmultiple assessments of
facilities and I've had to gothrough and go.
(17:01):
Why is that sitting out?
We have a clean desk policy,but yet you're not following it.
Those are pieces that you woulddo from a secure facility
standpoint and you'll have yoursecurity cameras.
Are they on a separate network?
Can I gain access to thisnetwork?
Who has access to this network?
All of those factors are animportant piece when you're
dealing with physical controls.
Media disposal you have asecure disposal method for your
(17:25):
PHI-containing media, such asshredding paper documents,
securely wiping electronicstorage devices, etc.
Etc.
Do you have that built in?
Is that something that'savailable for your people?
And again, it's an importantfactor when you're dealing with
physical controls is that all ofthis stuff is documented and
you're following throughTechnical controls.
What are some things of that?
(17:46):
And again, these are just abroad brush, just a small
smattering of what you need toknow.
Technical controls you have.
Encryption you have.
Do you have encryption on thedatabases where the data is
stored?
Is you have it encrypted whileit's in transit?
Now, one thing to consider.
Again, this is something youhave to consider as a security
professional Do you encrypt thetraffic from point A to point B?
(18:07):
Now, ideally, the book answersays well, yes, you should do
that, always.
Encrypt all your traffic, allyour data and on that side.
That's an important factor andI highly recommend that you do
that on some very key systems.
However, you need to reallythink hard about when you do
this, because the moment thatyou encrypt data from point A to
point B, you now make itinvisible for your own people to
(18:30):
see if there's data that'sleaving the organization.
So you want to have a reallygood architectural plan on how
you're going to monitor the dataleaving your organization to
see if there's any sort of datathat could be potentially being
exposed.
And the moment you encrypteverything, you now have to
figure out okay, now I have todecrypt it to be able to see
what's inside it.
So there's a lot of stuff thatgoes into that.
(18:52):
That's really important.
So, again, I think it'ssomething to consider that
internal network traffic I'm nota big fan of encrypting at all
because I would like to havevisibility.
There might be some areas whereyou would want it all encrypted
so that no one could ever sniffit again.
You need to think about thatand know the pros and the cons
before you do that.
Audit trails you need to have asystem of trails and audit
(19:15):
trails in place that understandyour log access, to include PHI
for monitoring andaccountability purposes.
Now, when you're dealing withthe auditing, you need to
consider how long do you keepthis logs for your auditing
methods?
Which logs should you keep?
That has a whole bunch of hairon it because you're going to
have to deal with how.
The logs are not cheap, they'revery expensive, they're not
(19:38):
inexpensive, and so therefore,for you to store them for any
significant period of time, itwill cost you a lot of money.
So you really got to be veryjudicious on which logs you want
to protect, which logs you wantto keep, which logs you're
required to keep, based onpotential regulatory
requirements.
You may have Firewalls,intrusion detection prevention
systems obviously you want tohave those in place.
(19:59):
Firewalls, intrusion detectionprevention systems obviously you
want to have those in place.
Depending upon if they'revirtual or physical boxes.
You just need to decide whichone is best for you.
A lot of times this stuff isbuilt into these new, really
Gucci firewalls, so you'll haveto decide what is the best
architectural layout for yourcompany.
But those are things you'llneed to consider.
And then DLP having some sort ofdata loss prevention program in
(20:21):
place.
This would include sharing ofPHI data via email, usb drives
and other methods.
Again, that is also a hairybeast.
There's a lot that goes intothat.
I also provide DLP services forcompanies if they are listening
and they want that.
I have to throw outadvertisements for me, because I
don't put any ads on this thingfor anybody else.
So if you are interested in asecurity professional, please
(20:41):
come, stop by and visit mywebsite and I will be happy to
help you.
So sorry, I'm in a differentspace now I have to kind of do
that.
So data loss preventionimportant factor you need to
really consider that for yourcompany and, again, depends on
your data.
You may not if you're just amanufacturing company I said
just, I don't mean it that waybut if you're just manufacturing
(21:01):
widgets and you may not need alot of this stuff as it relates
to that, except for the PHI dataand understanding employee data
and customer data.
The other thing you got tothink about is reputational.
If, for some reason, you have asmall business and your
business gets hacked, well nowif all your data gets out, how
does that affect your reputation?
(21:22):
That could be expensive,especially since people are very
watched.
They've watched very closely toGoogle type stuff, so there's
something really to understandthere.
Additional considerations youneed to think about is your
business associate agreements,baas.
These are required coveredentities such as healthcare
providers and health plans.
They will have to have BAAs inplace that people that handle
(21:44):
PHI on their behalf.
And then patient rights.
You need to have a patientrights specifically to
understanding PHI right, medicalrecords and so forth.
We talk about proprietary data alot.
I've got a really long historyin proprietary data and
protecting it, but understandit's the same concept.
When you're dealing with PHI,what data is sensitive, what
(22:04):
data needs to be protected, andyou need to consider that for
your organization.
Some examples obviouslyproprietary data.
You've got your financialinformation, mergers and
acquisitions, customer lists,marketing plans, r&d All of
those things need to beconsidered as your sensitive
data.
But you can basically transposePHI and IP as the same type of
product.
(22:24):
You want to protect them inmany of the similar ways.
There may be a few more thatyou have to do with PHI type
data than you would with IP,because when you're dealing with
PHI as such a large group ofpeople, such a large group of
data, because everybody has somesort of health information,
whereas IP data is usually amuch smaller subset and not
(22:45):
everybody should have access toit at all.
So you just need to kind ofwork through that and figure out
what's best for you and yourcompany.
Some other protection mechanismsand I will say this really
isn't a protection mechanism andpeople that I've talked to that
are in this world have madethis comment to me that an NDA,
a nondisclosure agreement, yeah,those are only as good as the
paper they're written on.
(23:06):
Now I say that against somelegal people who come back and
beat me over the head with a wetnoodle and say no, that's not
true.
And it's true.
I mean, yes, you can use theNDA as a way to put fear in
people's mind that you're goingto come after them, and if
you're a corporation that hasdeep pockets, especially, you
can go after them, no doubtabout it.
But the bottom line is, if thedata is already left, the NDA
(23:30):
doesn't stop the data fromleaving.
It just is a mechanism to beable to basically scare them and
come back after them.
And so I'm saying that, as I'vesigned NDAs and I will honor
them, right, but that doesn'tstop the data from leaving.
It's more or less anadministrative control.
Now you also have your DLPsolutions that are in place that
(23:50):
can block data from leaving.
They can also put timers on thedata so that when it gets sent
out, it's going to get deleted.
Just know that data is going toleave your organization.
You just have to decide whichdata do you want to leave, or
which data are you willing tolet leave, and which data are
you not wanting to leave at all?
Now we're dealing with dataclassification schemes.
This is where there's variousones that are in place.
(24:11):
You have a government side andyou have a private sector side.
Now, the governmental side I'mjust going to use this from a
US-based focus.
Each country has their own, butfrom a US-based, you have top
secret, secret, confidential,sensitive, but classified and
unclassified.
Now, each of these has adifferent bucket, different
genre.
Top secret obviously everybodyknows that's where you have the
(24:33):
two keys and the nuclear weapons.
That's top secret.
Lived in that world.
They do not play games.
You say something you shouldn'tsay, you get.
Potentially you get let go ifyou're lucky.
If not, you get sent toLeavenworth and break big rocks
into little rocks.
So you don't mess with topsecret.
I mean you don't mess with anyof them.
But secret and top secret youdefinitely don't mess with.
They have bad ramificationsthat go with it.
(24:56):
They're very, very seriousabout that.
So what top secret comes into isit is exceptionally grave
damage to national security.
Secret is where it's seriousdamage to national security.
So understand those terms.
You're going to have to knowthat for the CISSP it's grave
and serious.
Those are key terms that you'llsee.
Confidential, it could causeserious damage to national
security.
And then you have sensitive butunclassified data.
(25:18):
This is where it's sensitive,but it's not formally classified
as a secret, top secret orconfidential.
And then you have unclassified,which basically is no harm.
Now, as I break that down,grave, serious, um, what a
sensitive data is all right, welost it.
See, I'm reading all this and Ican forget.
Yeah, so you have seriousdamage and security, serious
damage and security withdiplomatic means.
(25:40):
Each of these different areasthat are broken out.
You need to understand whatthey're asking for in the
question for the CISSP.
Also, know that each countrythat you talk about has
something very similar.
Some will have the languagewill be very ideal, will be
identical, almost in some cases,grave, serious, but they may
(26:01):
change it just a little bit.
I know China changes it alittle bit, but it's very
similar wording.
Just know that.
That is the governmentclassifications.
When you're dealing with commonclassifications in the private
sector, that is where you dealwith confidential, private,
sensitive and public.
Now, this does not mean thatthey're all going to be this way
.
Your company may come up with A, b, c and D and you go A is our
(26:25):
confidential, b is our private,c is our sensitive and D is
public.
You may do that.
You may get this verycomplicated lettering system.
I wouldn't recommend it at all.
It'll confuse the dickens outof people.
But if you're going to havesome sort of common
classification you need to makesure that that's defined, people
are trained and that people areheld to that standard.
(26:47):
So confidential obviously issensitive data critical to the
organization's success right,financial loss, reputation,
legal issues.
That's confidential.
Private is basically forinternal only use and it could
be impacted if disclosedpublicly.
I personally would not useprivate for anything.
I would either keep it simple.
Okay, if you guys are going tomake this for your CISO, make
(27:08):
this as simple as possible foryour people, because the more
complex you make it they willgoof it up, they'll mess it up
and it will go sideways.
So if you're going to do allthis, you just say confidential
and public two things.
If you know if it'sconfidential, it fits in this
bucket.
If it's public, it can beanything else.
If you're going to do thispiece Again, you will have to
(27:31):
figure that out for your company, what your CEO or your owner
wants to do.
But know that.
Keep it as simple as possible.
Sensitive is it's classifiedcompared to public.
Data requires some level ofprotection, ie marketing
campaigns, internal trainingmaterials, etc.
Public is freely available.
Minimal harm from disclosurebasically emails and so forth
that you would consider, eh, nota big deal.
(27:52):
Again, I would recommend ifyou're going to do data
classification in a privatesector, keep it simple, common,
confidential and public.
Okay.
So now we're just going to dodata classification in the
private sector.
Keep it simple, common,confidential and public.
Okay.
So now we're just going toquickly roll into this one last
thing as it comes down toclassification impact under the
class system.
I know air quotes class.
If you go to CISSP CyberTraining, I'll have this video
(28:14):
out there.
You can watch the video YouTube.
It'll be on YouTube as well.
You also can go toreducecyberriskcom and check out
my consulting website.
And if you're ever interestedin some training or need some
sort of consulting done from acybersecurity standpoint, I can
help you.
I can.
I've done pretty much most all,not all, not all, definitely
not all, but I've done a lot inthe cybersecurity space that can
(28:34):
provide you a lot of value foryou and your company.
If you're listening to this,okay, now impact levels.
You got class zero to classthree.
What exactly are those?
So these are.
It's basically a conceptualunderstanding of this.
I mean, you'll see this in thebook, the ISEE Square book, and
they've got like this pyramidand they are class zero to class
three.
Now class zero starts at thebottom.
(28:56):
It's the biggest bucket and youcan really break this down into
the same thing as class zerowould be public information.
But class zero is data withminimal disruption if
compromised, publicly availablemarketing materials, et cetera.
So this is class zero.
This is open to the public.
Class one this is data thatcould cause moderate disruption
to business or businessprocesses.
(29:17):
This would also be somethingsimilar to your sensitive data.
So you got class zero is yourbase.
That's public.
Class one is sensitive.
Class two is data with a highimpact on mission or business
processes if compromised, iecustomer financial data, which
would be very similar to yourprivate data if you had that.
And then class three would bedata with severe impact
(29:40):
potential to organizationalfailure if compromised.
Now this would be very similarto what you deal with your
confidential data.
So, again, all we're doing isjust modifying words, but
realistically, you want it.
If you're going to deal withdata classification within your
organization or you see it onthe CISSP exam, there's
(30:01):
different types.
The class zero, like I said, isyour public, class one is your
sensitive, class three is yourprivate or class two is your
private.
Class three is your most secureor most sensitive and that's
your confidential.
You can flip that into beingthe same thing, for when you're
dealing with the classifiedaspect of this.
You could go sensitive butunclassified is your class zero,
(30:24):
your confidential is class one,your secret is class two and
then your top secret is classthree.
They're just doing thedifferent classes so that it
gives you different options tounderstand for your company and
as a security professional,which one would be best for you
and your organization, becauseyou're going to have to figure
(30:45):
out, related to your company,what will your employees
understand and deal with this?
Actually, I lied to you.
I lied.
I have a couple other littlethings I'm just going to quickly
go over as we have just alittle bit more time.
So, some additionalconsiderations as you're dealing
with the data.
One thing to deal with as itrelates to the data is your data
ownership and responsibility.
(31:06):
Now, this is an importantfactor is what you need to
understand what happens to thedata, who owns the data and who
is responsible for the data.
Now, if you don't define whothese people are at the
beginning.
You need to really put this inthe back of your mind, that it
has to be done at some point,and I would highly recommend, as
you're going through all theseclassifications, you'd also
(31:26):
start picking out owners toensure that the data is
protected, and then you have avery strict, very defined rules,
responsibilities andexpectations for that management
of the data.
I mean this in the fact that,if it's a I was at Coke
Industries, you know Charles andDavid Coke.
They have some really goodprinciples, some really good
stuff.
Actually, I took out of that,which was awesome.
(31:49):
One of the things that came outof it that was important is that
it's called tragedy of thecommons.
If you don't have an owner for,like, let's just say, your
watering hole where everybodygoes to get coffee and so forth,
your watering hole whereeverybody goes to get coffee and
so forth If there's nobody thatowns it, no one will take care
of it.
The same thing goes with yourdata.
If no one owns the data, if noone's actually defined hey, sean
, you own X, it's your baby, youprotect it and that way I am
(32:17):
responsible for it.
If you don't do that, thennobody owns it, and so then it's
very easy for the data to juststart getting pilfered and sent
everywhere.
So it's important that you dodefine ownership and the
responsibility.
This could be department heads,it personnel, project
management whoever doesn'tmatter.
All that matters is that youpick the right person who will
manage and protect the data, andI would also recommend you pick
a rabid dog, someone who isvery on top of things, to own
(32:39):
the data, because they'll makesure that you need to understand
.
When you're creating this, thedata, you need to have kind of a
path in place.
When you're dealing with thesecurity controls, you need to
start from creation, storage,use and disposal.
That is the life cycle.
So, the moment it's created,you now classify the data.
(33:01):
Then it's stored.
You know that, hey, it's beenclassified as X, I need to store
it as this way.
How it's used.
You need to decide okay, if Iknow I classified it as X, I
need to store it as this way.
How it's used.
You need to decide okay, if Iknow I classified it as X as
it's being used, these are thepeople that can use it.
This is the data in transitneeds to be protected or not,
depending upon your situationand then disposal.
(33:22):
What happens at the end of this?
Do you do data wiping?
Do you physical destruct thedevices, the hard drives,
whatever that is.
So those are different securitycontrols.
You physically destruct thedevices, the hard drives,
whatever that is.
So those are different securitycontrols you have from creation
, storage, use and disposal.
Then there's an emphasis onsecuring the data at rest.
Again, we kind of talked abouthow data at rest in transit and
in use.
Now I'll be honest.
Well, I'm not being honest.
(33:43):
I'm being honest.
You know what I really hate itwhen I say that because it's
really being honest.
I'm being honest Because if Isay I hate it, you know what I
really.
I hate it when I say thatBecause it's really not true.
So if you say I'm being honest,Well, that means there's times
in my life when I'm not beinghonest.
I'm sure there probably are.
But anyway, to digress, whenyou're talking about data at
(34:03):
rest, it's very rarely is itever at rest.
I there and wait for someone totouch it.
It's usually getting pulled andpinged by somebody, some
application, at some point intime.
So you really want to have data.
Encryption is important, butyou're really putting the data
encryption on that dataspecifically, as if somebody
actually stole it.
That's the real piece, withdata at rest, but it's never
really truly at rest.
(34:23):
Data in transit, obviously,where it's going back and forth
across the wire, and then datain use, when it's being
implemented and used in theapplication itself.
So those are key pieces ofinformation.
Okay, last thing is bestpractices for data
classification.
Again, these are just kind of asynopsis of what we've talked
about today.
Today I went through very fast,very quick, but there's a lot
of great information in here,especially one for the CISSP.
(34:45):
If you think about it, it againyou want to think about the
test as a security professionalwho's been around for a while
that understands security.
So this is what this isdesigned for.
Second thing you also want tounderstand is, if you follow
what I've just said, you'regoing to be in a much better
position for data securitywithin your organization,
wherever that is.
And again, I recommend, go tothe watch, to CISSP Cyber
Training, get the videos, checkthem out.
(35:10):
They will give you a wealth ofinformation outside of the CISSP
.
Just because I've been there,done that, got the t-shirt
trying to pass on someinformation to you, and you just
need to keep that in mind.
So best practices develop a dataclassification policy that
aligns with your organizationalneeds and compliance
requirements.
Again, what does your companywant?
What do the governments require?
Provides clear and concise dataclassification guidelines for
(35:31):
employees.
Again, you got to teach yourpeople, and if you don't teach
them right, they will do itwrong.
I guarantee you, even if you doteach them right, they'll still
do it wrong, but you have aless chance of them doing it
more wrong.
That's a lot of double negativesin there.
You need to train employees ondata classification and
procedures, as well as theirrole in data protection.
Again, it's everybody'sresponsibility for data
(35:52):
protection.
Pass that on to them, make thatinto your culture.
Conduct regular classificationreviews.
Ensure accuracy andeffectiveness.
The bottom line on that is justyou need to do assessments and
make sure that people are doingwhat you tell them to do, and
then make changes based on whatyou find and then implement
automated data classificationtools to assist in the process,
(36:12):
if possible.
Obviously, I'm talking aboutMicrosoft Purview.
It has a way to auto-classify,and auto-classification is a
really good way to classify thedata itself.
That works really well,especially if an organization
has a lot of moving parts.
I'll give you an example where,if you haven't had a data
classification plan forever andyou have data sprawl that's in
(36:35):
all locations within yourcompany an automated data
classification process will workreally, really well for you.
Again, back to the comment wetalked about with the generative
AI and the recall piece ofMicrosoft Teams or Copilot.
I should say that could reallybe awesome for data protection,
but it also is very creepy andcould be scanning everything
(36:57):
under the sun, so you want tokeep that in the back of your
mind as you are going down thispath of data protection.
Okay, that is all I've got foryou today.
Again, go to CISSP's cybertraining.
Go check that out.
Go see what's out there andavailable for you.
Also, go to Reduce Cyber Risk.
Again, sean Gerber, here I'moffering cybersecurity
(37:20):
professional services forcompanies.
I've been doing this for 20plus years.
I've done a lot, from being ared team commander and doing
penetration tests all over theglobe to being a CISO in a very
large multinational that has gotintellectual property and you
name it.
I've dealt with it.
So I would say that it'simportant to protect your
(37:43):
company.
I can provide those servicesfor you, and so I've got to put
a plug out there for me.
Sorry, just got to.
Anyway, have a wonderful dayand you know what?
We will catch you on the flipside, see ya.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.