July 7, 2025 • 37 mins
Ready to conquer CISSP Domain 1? This rapid review episode delivers essential knowledge on security and risk management fundamentals that form the cornerstone of information security practice.
We begin with a timely discussion on preventing ransomware through exfiltration controls, noting the alarming shift where 90% of ransomware attacks now involve data theft. The practical advice on implementing zero trust architecture acknowledges real-world challenges while providing actionable steps for gradual deployment.
Diving into Domain 1, we explore the ISC² Code of Professional Ethics and its four critical canons: protecting society and infrastructure, acting honorably, providing competent services, and advancing the security profession. The CIA triad (Confidentiality, Integrity, Availability) is thoroughly unpacked alongside the critical concepts of Authenticity and Non-repudiation, with practical examples of how these manifest in organizational security.
Security governance emerges as a crucial topic, emphasizing the necessity of aligning security efforts with business objectives rather than operating in isolation. Practical guidance on establishing effective governance committees, defining clear roles, and implementing proper segregation of duties provides real-world context beyond theoretical concepts.
The complexity of compliance requirements is demystified as we navigate legal regulations, industry standards, contractual obligations, and escalating privacy requirements. Particular attention is given to data breach notification timelines, evidence collection procedures, and transborder data flow considerations – all essential knowledge for modern security professionals.
Whether you're preparing for the CISSP exam or seeking to strengthen your security program, this rapid review provides the comprehensive foundation you need. Visit cisspcybertraining.com for additional resources including practice questions and study materials to support your certification journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Cybersecurity knowledge Allright let's get started.
Speaker 2 (00:31):
Good morning everybody.
It's Sean Gerber with CISSP,cyber Training, and hope you all
are having a beautifullyblessed day today.
Today we're going to be doingsomething just a little bit
different with the CISSP.
So typically on Mondays I havea CISSP domain and then I have
the questions that are going tofollow up on Thursday.
But this week we're going to dosomething just a tiny bit
different.
So I have created a CISSP rapidreview that's available for
(00:51):
folks.
You can go to YouTube or youcan go to my website and you can
download it and look at it andit's pretty awesome and it's a
rapid review over domains one,two, three and so forth on all
the domain eight.
But this is going to be therapid review of domain one, and
so it's going to be a two-partseries.
We've got one that's going tohit today.
Obviously, the first part ofdomain one and then the second
(01:12):
part will hit on on thursdaywill be the second part of
domain one.
Now the plan is is that thiswill hit this week and the next
week I'll get back to what I wasdoing and then I'll another one
for domain two will come outand we'll do that as well.
So the ultimate goal is notchanging anything of what we do
for CISSP Cyber Training.
It's actually going to give youthe rapid review.
It's going to go over domainone and the design of it is so
(01:33):
that, as you're getting closeand getting ready for your test,
you can go through this rapidreview questions and are not
questions but content and thenyou can kind of feel about how
are you feel comfortable withright, with domain one, how do
you feel with domain two?
It gives you just an idea ofwhere you're at in a review
process of it.
So there'll be all eight ofthem will be available to you
(01:53):
and it'll be approximatelyprobably between all of it,
around eight to nine hours ofactual content that's available.
So it's gonna be pretty cool.
I hope you enjoy it.
Uh, this will be the first.
One will be about 30 minuteslong and the second one by about
30.
Domain one, or domain two, is abit shorter.
Obviously that's a smallerdomain and there isn't many
questions tied to it, but thosewill be coming here and you'll
be seeing those in the future.
(02:13):
But before we get started withthat, I want to just kind of
walk you through an area that Isaw, an article that was around
stopping ransomware in itstracks with exfiltration
prevention.
Now, this is one of the thingsthat I think is really important
.
Is you obviously they want todo the destruction piece of this
, but a lot of times, folks,they have to get the data out of
(02:34):
your organization to utilizethe overall blackmail aspects of
it, and this will help be.
I mean, obviously, thedestruction part is a big factor
in any organization, and havingit destroy your data and then
not having the backups or all ofthat whole drama that goes with
it.
From the 2025 Verizon DBIreport is that 90% of ransomware
(03:07):
attacks it did involve somelevel of data exfiltration.
So if you can stop that, that'sa huge part.
The statistics that came withit also said in 2023, there was
up from 85% and then, which wasinteresting is in 2019, when a
lot of this started, it was at10%, and then, which was
interesting, is in 2019, when alot of this started, it was at
10%.
So data exfiltration obviouslyis a huge factor for any sort of
(03:29):
organization, especially whenyou're dealing with a ransomware
type attack.
Now, one of the things theyrecommend that you do, obviously
, is you monitor for abnormaldata movement using DLP or NDR,
your network detection responsetype of equipment that you may
have within your organization.
One of the things that is anissue that people do run into is
(03:51):
a lot of the traffic that isexfiltrated is exfiltrated via
encrypted channels.
So you may have to invest insome level of decryption
capability to really allow youto be able to capitalize upon
that.
But having large numbers,having something that can verify
that there's actually dataleaving in substantial numbers,
would be also valuable.
So you may not be able to seethat the exfiltration is
(04:12):
occurring because of encryption,but if you can see actual size
of data that's leaving, theactual, no kidding volume, that
may give you a trigger that yourdata is trying to leave the
organization.
You need to restrict filetransfer tools.
Obviously, such as WinSCP orany sort of raw type of
activities, don't allowexfiltration of data from normal
(04:33):
activities.
So you're going to have toreally work with your teams to
understand that they also useimmutable or encrypted backups.
Obviously, the encryptedbackups are an important part.
So if you do any sort of backupactivities and they're making
them immutable, uh, basicallyyou write once and read many
that that's an incredible partof where I've seen it that folks
(04:54):
will install the ransomwareinside the backups and then,
when they're encrypted, they areor they're tampered with it on
the way up, as it's going tobeing set to the backup
locations so that that way, whenthey pull it down after an
incident has occurred, they nowhave the encrypted file within
their organization.
So you're going to need toreally make sure that you have
some good software in place thatwill look for malware ingested
(05:17):
or injected into the overallbackups, as well as ensuring
that you have immutable backupsto ensure that they're not
reinstalled with malware.
Obviously, having strongidentity and access management
to include multi-factorauthentication is a really good
way to limit the access and stopsome sort of credential abuse.
And then, if you can, adopt azero trust.
Now I will say the zero trustpiece of this is an easy word to
(05:40):
say.
It's an easy bumper sticker.
Adopt zero trust.
That's what they talk about inthe article.
We all know that adopting zerotrust within your organization
is extremely challenging and Iwould say in some places it's
probably impossible.
But adopting zero trust incertain areas within your
organization is definitelydoable, and it could also look
at it as the hospital you neverget out of where you go within
(06:03):
one part of your organizationyou start to implement Zero
Trust and then in another part,you open it up or you will
install it or install is not theright word but you'll deploy it
as time goes on in another partof your organization.
So kind of, keep that in mind,zero Trust.
I really want to do a podcast onthat specifically, because
there is a lot of value that canbe had from zero trust.
(06:25):
But as an architect, you knowthere's no way.
No way is not the right word.
There's highly unlikely thatyou're going to be able to
deploy this completely throughyour organization without
destroying a lot of stuff andwithout having a significant
amount of buy-in from seniorleadership.
So it can be done, it is beingdone.
It's just I don't see it doneon mass scale and but you know
(06:48):
what?
And to pull it through yourorganization and that.
You can prove me wrong, whichwould be awesome.
So, that being said, that's agreat part about the article.
I would highly recommend youread it.
Um again, kind of start, and Iwould recommend reading these
articles to give you some kindof juices in your brain as
things are occurring within yourorganization.
You go oh yeah, what about that?
Oh yeah, there's been a lot ofdifferent security mechanisms
(07:11):
that I put within myorganization, because I was
reading articles like this andgoing, wait a minute, can we do
this really easy?
Can we do this simply?
Can we do a part of this?
And that is a really, reallygreat thing to do.
It also is something that youshow your senior leaders in my
case, with my CIO and my CFO ofthat.
You are constantly thinkingabout new options for the
(07:32):
organization and how to bestprotect it.
They won't always buy into it,but at least you're thinking
about it and you're trying tobetter protect your organization
.
So now that's all I've got foryou on the article side, but
let's roll into the rapid reviewfor domain one.
Hey, all it's Sean Gerber withCISSP Cyber Training and this is
(07:52):
the CISSP rapid review examprep covering domain one
security and risk management.
So this is the questionbreakdown per domain and we're
going to start this off withdomain one, and domain one, as
you can see, is about 15% of thequestions are coming out of
domain one for the CISSP exam.
Now, as you look at this and aswe go through this rapid review
(08:14):
, you're going to see domain onehas a lot of content in it and
therefore that's why they have15%.
As some of the differentdomains have less content, then
they have less percentageinvolved with the overall
questions.
But overall, if you look atthis, it's pretty well evenly
stacked between all the variousdomains from basically as low as
10% up to as high as 15%.
(08:36):
So the bottom line in all thisis you're going through this
rapid review.
One of the things you can askyourself is how am I
understanding this content view?
One of the things you can askyourself is how am I
understanding this content?
So if you go to CISP CyberTraining and you try some of the
quizzes and you go you knowwhat I'm getting these really
well, then don't maybe not takeas much emphasis and much time
on studying those as you wouldon areas that you struggle with.
(08:57):
I have some of my studentsstruggle with the software
development aspects of this, andso, because of that, I would
recommend you spend 80% of yourtime on the 20% that you
struggle with.
So, if you look at theinfographic to the right again,
devote 80% of your time to the20% you struggle with.
It's the 80-20 rule.
However, that does not mean youignore the last 20% of going.
(09:20):
Yes, security and riskmanagement, I get it, it's good,
so I'm not going to study it.
Not a great idea, that's a badidea.
But it does mean the fact that,as you go through my course, I
have a blueprint that'savailable to you on CISSP Cyber
Training that will walk youthrough step-by-step, the book,
all of those things.
But as you go through thosedifferent steps, you may go you
know what I've got this, andthen, as you move to another
(09:42):
area, I don't.
So when you get through theentire book, then the aspect is
is come back to the areas thatyou feel that you have the most
that you're the most weak in,and so again, ultimate goal is
to focus on the areas that youcan do your best in, but also be
able to focus on areas that youdon't understand the content
and you want to spend more timeon it.
(10:03):
So that's about basically whatI want to break down with this.
So we're going to get intodomain 1.1.
And this is.
There's basically 13 differentsubdomains tied to section or
domain one, I should say.
And so the first one is goingto be professional ethics.
So as you study the book andyou're gone through the book and
the different trainings thatare available to you, you're
looking at what are theprofessional ethics and how does
(10:25):
this work.
Well, these are the code ofprofessional ethics from ISC
squared.
They have this defined withinthe book and there's various
canons that are associated withit.
There's four specific canonsand the goal is to one.
The first one is to protectsociety, the Commonwealth and
infrastructure.
The second is act honorably,honestly, justly, responsibly
(10:46):
and legally.
The third is to providediligent, competent services to
the principals.
And the fourth is to advanceand protect the profession.
So all of those have a veryimportant part in the overall
professional ethics of the CISSP, but mainly in cybersecurity as
well.
The things you're going to belearning in as a security
professional is that you have alot of power potentially in the
(11:06):
capabilities you have, andtherefore you need to use these
skills that you have inprotecting society.
They're going to be looking toyou on how do I use these skills
to be able to protect criticalinfrastructure, to be able to
protect banks, to protectpeople's individual livelihood,
and so therefore, that's animportant part of this.
They also want you to acthonorably and justly and
(11:29):
honestly.
Because you know thisinformation, it's very easy for
people to come to you and go hey, what do you think about this?
Well, you could go.
You know what?
Yeah, I can take care of that.
I know exactly what you think,what you need.
That is not the right answer,and the reason is is because you
don't know everything and nowyou may have to get some more
information on it.
You may want to come back andsay, hey, I can help you, but I
(11:50):
need to get a little bit moreinformation before I do that.
They also want you to providediligent and competent services.
Don't kind of just gloss overstuff you could be able to get a
lot of information from peopleand therefore then you can
potentially help them.
But if you don't do it in a waythat will help them correctly
and you just go, yeah, I can dosome security services for you,
throw some pixie dust at it, seewhat happens and you know what,
(12:12):
that won't work.
It may give them something andthey may pay you some money for
it, but in reality that's justnot the way you should be doing
business.
And then, lastly, is advanceand protect the profession.
That's what we're doing righthere, is that we're advancing
and protecting the profession inthe fact that we're providing
services to you to be able touse them so you can become
security professionals on yourown.
(12:33):
So again, those are the fourcanons tied to the ISC squared
professional ethics, now theorganizational code of ethics.
These are specific rules set upby the company and that's their
values that'll help guide anddirect employee behavior.
Now this comes into practicalguidance for daily ops, policies
and procedures, different typesof things that your company's
(12:53):
going to put forth to helppeople with making ethical
decisions in what they want todo and what they want them to do
on a daily basis.
It helps in theirdecision-making process.
One example, might beacceptable use policies.
You're going to have a policyfor acceptable use and you're
what you want your employees touse company-related assets but
if you don't tell them to do it,they go and start surfing bad
(13:16):
sites and what ends up happening?
Well, they introduce malwareinto your organization.
So one your morals or yourthought process is not being
spent on your employees becausenow you don't have policies in
place to do that.
So, again, those are the highlevel principles that you need
to put in place as a securityprofessional.
It also helps reinforcecompliance, fosters trust and
(13:37):
then helps mitigate any risksrelated to employee misconduct
or negligence.
Again, like I mentioned before,if you don't have a good,
acceptable use policy, youremployees will just go use their
computers on whatever they seefit, or give it to their kids,
and their kids will use it.
I've had to deal with thatbefore.
And then how do you deal withthose situations?
So the ultimate point is thisis what your organizational code
(13:58):
of ethics are and theimportance of them.
Domain 1.2, this is applyingsecurity concepts.
So there's a couple differentfacets of the domain 1.2.
We're going to kind of go intoeach of those here in just a
second, so we're going to startoff with the CIA triad, and this
is confidentiality, integrityand availability so you hear a
(14:20):
lot about that as you've beenstudying for the CISSP exam and
confidentiality this helpsensure that the information is
accessible only to authorizedindividuals and it prevents
unauthorized disclosure ofsensitive data.
So you're ensuring that thedata is confidential, that
nobody else can see it and thatit's only accessible by those
that are authorized to actuallyhave access to it.
(14:41):
Some things that can be usedfor confidentiality would be
encryption, access controls,data classification and various
privacy policies as well.
All of that is tied toconfidentiality.
Integrity this helps maintainthe accuracy and completeness of
the data.
So if you have your data that'sin a log storage facility, you
want to ensure that no onetampers with it.
(15:02):
Okay, and if that, no one cantamper with it, it helps ensure
the integrity of the data andhelps ensure that it's complete
and it's consistent.
It also protects againstunauthorized modification or
destruction, which is one of theareas that the hackers may go
after is looking for this typeof information and therefore
having the ability to destroy itor manipulate it in a way that
(15:23):
hides what they've been doing.
So examples of this are hashing, digital signatures,
maintaining and managing versioncontrol, and then access
controls and change management.
All are tied to the integritypart of domain 1.2.
All are tied to the integritypart of domain 1.2.
Availability guarantees thatauthorized users have timely and
uninterrupted access toinformation and resources.
(15:44):
It also ensures that systemsand data are operational when
needed.
So the ultimate point of thisis that it's available to people
.
If people turn on theircomputers, they have access to
it, they have access to the datathat they actually need and
they're authorized users forthat specific data.
So a good example of how thiscould be affected would be a
denial of service attack andthat would define or that would
(16:07):
stop you from havingavailability.
So you have different ways tocreate this and protect this
through redundancy, faulttolerance, backup and recovery
and disaster recovery plans,competency, fault tolerance,
backup and recovery and disasterrecovery plans.
All of those pieces all fitinto the availability piece
around the cia triad.
Authenticity now this is a partthat verifies the identity of
the user in the process, in thesystem, and it confirms that the
(16:30):
information or resource isgenuine, and this is something
that we deal with in the aiworld, too is now do you know
that those pictures are genuineor not.
That's really hard to tellsometimes, but the ultimate goal
, though, is is that thisverifies that the user, the
process or the system isauthentic.
And how does this done?
This is done through passwords,multi-factor authentication,
(16:51):
digital certificates andbiometrics.
So you want to make sure thatthat it's not.
You want to make sure that, butthey it's.
The design is that, when youhear people talk about
authenticity, is that you havethe different controls in place
to ensure that these things areauthentic.
Your password aren't beingpassed the hash and they're
being passed on to somebody else.
You have digital signatures toverify that certain equipment is
(17:12):
whose it belongs to.
What are the biometricsassociated with your eyes right?
All of those aspects are aroundauthenticity Non-repudiation.
This helps provide undeniableproof that there's a specific
action or event that hasoccurred and prevents any party
from falsely denying it.
So the ultimate point is that,with your non-repudiant, if I
(17:34):
come in and I say I am Brad Pitt, well, you all know that that
is not true by any stretch ofthe imagination, but this
provides undeniable proof that,when you have the documents that
are there and you have yourdata that is there, it's
undeniably proven that you, thisspecific action or this data
belongs to these specificsystems systems.
(17:58):
It also ensures the sender of amessage or the performer of an
action cannot later come backduring an interview or during
some sort of legal situation andsay, no, I didn't do that or I
did do that.
The point of it is that toensure that there's consistency
and that you can't deny thatthis email or action was done by
this person we talked aboutsome of the examples.
You had digital signatures, youhave logging and monitoring
(18:20):
that's available, and then youhave third-party timestamps that
are set up specifically.
Now can all this stuff bespoofed?
Yes, stuff can be done to it tohelp obfuscate it, but the
ultimate goal is that you createa system, as a security
professional, to take intoaccount all of these different
aspects.
Your CIA triad, yourauthenticity and non-repudiation
(18:43):
are all pieces that you need toconsider when you are deploying
cybersecurity solutions.
Okay, so, domain 1.3, securitygovernance principles.
So the ultimate goal in thissubsection is to kind of get
into different areas aroundgovernance.
So the alignment to businessstrategy goals, missions and
objectives.
Now your security efforts mustdirectly support and enable the
organization's core mission,strategic goals and then not to
(19:06):
operate in isolation.
I see this a lot.
So when you're doing yoursecurity capabilities within
your company, that you areoperating in tandem with
different aspects of yourcompany, such as legal
compliance, other parts ofsecurity and IT, you are not in
a vacuum.
You're not in a stovepipe Idon't even really know how many
(19:27):
people would ever get into astovepipe but bottom line is
you're not operatingindependently and you're working
as a team.
This ensures that your securityinvestments are prioritized
based on business value and risktolerance.
You're going to see this, as asecurity professional, that a
lot of times you're going to gowell, you have a budget.
I don't have a budget.
What should I do with my budget?
You're going to come down tothe fact that you have to show
and equate what risk is beingmitigated with the investments
(19:49):
that these security folks areputting forward.
What is the business value?
And, as security people sooften we do not always talk to
the businesses and want to workdirectly with them you are going
to have to do that.
It's imperative that you, as asecurity professional, are
working with your businesses andwith your other leaders within
your company To one understandthe risk and then to put things
(20:10):
in place to either accept it orto mitigate it.
Those are different pieces thatyou're going to have to work
through.
Now the organizational processesthis deals with acquisitions
and divestitures.
Now some securityconsiderations need to be
integrated in all of theseaspects when you're looking to
bring on a company or you'relooking to sell a company.
I've been through many, manyacquisitions and divestitures
(20:31):
and if you don't have securitybaked in at the beginning, it
gets very messy about six monthsto a year down the road.
So you have to consider that.
And for acquisitions, you needto conduct thorough
cybersecurity due diligence onthe target companies.
I had a sale.
It was going to be a purchasinga company.
I brought forward some of theissues that they had with
acquiring it related to security, and that wasn't the only
(20:54):
reason.
But at the end of the day, wedidn't acquire the company and
it was due in part to what wehad provided from a
cybersecurity standpoint.
Now divestiture same thing youneed to have a good separation
of your systems and data, toinclude data sanitization for
the fact that you're going tosell your company off, and it
needs to be built into this.
So as you go into anorganization and you look to go
(21:16):
all right, what do we have inplace and then you start putting
your data in segregated buckets, knowing full well that
potentially, some of thesebusiness units might be sold.
You need to consider that andwork with your business leaders
to figure out how is the bestway to make that happen.
Now, governance committees youneed to establish formal
committees.
These are security, steeringcommittees, maybe working groups
(21:37):
, risk committees.
These all have clear charters,roles and responsibilities and
what they're going to do for theorganization and they will
provide strategic oversight andapprove and improve the security
policies of your organization.
Now, I've dealt with manyworking groups before and these
working groups are set up thatone of that are very good and
(21:59):
some that I've set up that arenot very good.
You need to really understandwhat you're trying to accomplish
with the working group and thenwhat is the clear charter on
what it's supposed to do.
So those are really importantaspects and I deal with this on
a daily basis.
So it's imperative that youkind of think about this now
while you're studying for yourCISSP.
So it's imperative that youkind of think about this now
while you're studying for yourCISSP, because you will be
(22:19):
dealing with this on a dailybasis, guaranteed Okay.
So part two is going to bearound organizational roles and
responsibilities.
You need to clearly define anddocument your cybersecurity
roles.
This would be your CISO, yourdata owners, data custodians,
and even the CISSP book goesinto great detail around each of
those.
You need to define each ofthose areas within your company
(22:40):
and I highly recommend the dataowner and data custodian get
that worked out really well.
The data has legs.
It will sprawl and if you don'tdefine who are the owners and
who can manage it, it's going tohave all kinds of issues and
you won't deal with it evenshort term.
You'll deal with it long term.
So it's an important part todefine these capabilities
(23:04):
situations.
You also ensure propersegregation of duties to prevent
conflicts of interest andreduce the risk of fraud or
error.
And again, segregation ofduties is so important.
I had one time where there wasa security professional and he
was our cloud person as well andhe had rights to everything
under the sun.
That was a bad idea.
Uh, we able to get thatseparated and configured to come
differently so that he didn'thave all that that power.
(23:26):
But you need to ensure propersegregation of duties on almost
everything you do and when youtalk about this to application
owners ask them thatspecifically, what are your
segregation of duties orseparation of duties as well?
You'll hear it both termsseparation of duties or sod, and
segregation of duties.
Bottom line is ensure youseparate stuff.
I think, if I said that, enoughsecurity control frameworks.
(23:48):
There's various frameworks thatyou need to follow, and what is
a framework?
Well, a framework is justbasically a guidance or
guidepost to help you with aoverall process.
So, as an example, co-bit.
All these are differentframeworks that are designed to
kind of step you through.
What are the things you need tothink about related to security
(24:09):
?
So, if you've got a certainarea and access identity and
access management how do youmanage your identities?
You have an area aroundgovernance.
How do you manage yourgovernance?
There's different types offrameworks.
I've been working with a bankrecently and we're using the cri
framework, which is focusedspecifically around financial
institutions.
So those are different onesthat you can use for your
company.
(24:29):
They provide a structured,comprehensive approach to
managing and improving theorganization's cybersecurity
posture and they give you justkind of, like I said before,
guideposts to kind of help youwalk through it.
Due care and due diligence.
Now you need to reallyunderstand the difference
between the two.
So due care is where you actprudently and responsible, as a
air quotes prudent person woulddo.
Now.
(24:49):
You'd protect the corporation'sassets, their information, and
this level of care is where areasonable person would take
under the circumstances.
So your reasonable persontheory I try to go back to.
You need to consider that inalmost everything you do Now,
due diligence is that youperform reasonable research,
(25:13):
investigations, analysis toensure that you have the facts,
what you need to help makeinformed and really good
financial decisions.
Before basically jumping intoanything, you want to make sure
you've done the diligence toensure that that's been done.
This often precedes the duecare.
What it means is that you havedone the research to make sure
you have everything you need sothat when you actually go make
the decision, you have doneeverything that a prudent person
(25:34):
would do.
So due diligence and due care,domain 1.4, compliance and other
requirements this is dealingwith contractual, legal,
industry standards andregulatory requirements.
So we're going to break downeach of these real quickly.
So legal you adhere to nationalinternational laws impacting
(25:54):
data.
So if you have business that'ssomewhere around the globe, you
need to make sure that youunderstand the country that
you're in, their laws related todata breaches, data traversing
or data transferring, differentpieces around.
What happens with the data?
Is it protected to be encryptedwhile it's at rest?
All of those aspects need to beconsidering when you're dealing
(26:15):
with the legal aspects of it.
You also need to comply withinthe regulatory pieces of this.
This is specific industryregulations, so you would have
GLBA for financial services,nydfs for financial institutions
.
Are you following any sort ofrequirements within the European
Union?
Do you have Chinese dataprivacy laws?
Are you following theregulations specifically for
(26:37):
that location?
And then industry standards.
You need to make sure that youconform to the best practices
and benchmarks that have beenprovided, such as PCI DSS, iso
27001, the NIST cybersecurityframeworks.
Are you conforming to those?
Now, one thing I ran into whenI was a CISO is that I would
force or require third parties,that's, companies outside of my
(27:00):
company, to be either ISO 27001certified or, if they can prove
to me through attestation thatthey are meeting 27001, I would
kind of push them down that path.
Why?
Because then I knew they wereat least following some sort of
framework when they were goingforward.
Contractual aspects you'remeeting security obligations
defined in the agreements withthe customers, vendors and
(27:22):
partners, and you need to meetand exceed those contractual
agreements that you have withthese people, and that's another
part around compliance andensuring that you're doing that.
This ensures that allorganizations will avoid fines,
legal penalties and any sort ofreputational damage, because all
of these things can have a hugeimpact upon you and your
(27:42):
company.
Now, privacy requirements theseare protecting personal
identifiable information.
Now, a friend of mine incompliance said they don't
really use PII as a name anymore, but I'm telling you that most
likely, the CICP is going to askyou PII, and this is personal
identifiable information, so youneed to remember that term, but
you may run into differenttypes of terms of that when
(28:03):
you're out in the real world.
You want to adhere to globalprivacy laws such as GDPR, ccpa
all of these different privacylaws that are in place.
You, as a security professional, need to adhere to those, and
that comes back to the overallethics, like we talked about
before.
Now you implement principleslike privacy by design, data
minimization and purposelimitations these different
(28:26):
principles that are out there.
You need to basicallyunderstand those.
You need to have establishedclear consent mechanisms and you
need to understand individualrights to their data.
Do they want to be forgotten?
Do they want to have a right toaccess?
You need to understand theregulations that are within the
company that you're operating inand the regulations within the
country that you're operating inthat you are meeting these
(28:49):
types of situations.
You're meeting their datarights, you're meeting their
understanding around where theyshould do with the data and how
it should be stored, and thisrequires robust technical and
organizational measures toensure data confidentiality and
user trust.
So, again, you want to havetechnical and organizational
controls in place to ensure thatpeople are happy with what
you're doing.
It's nothing worse than to sayif someone's giving you their
(29:12):
information and they come tofind out that you're not
properly protecting it, it doeserode the trust of the
organization and of you, so youneed to really have a good plan
on how you're going to managethat.
Okay, so domain 1.5, legal andregulatory issues.
Now you need to understand thevarious types of cyber crimes,
from fraud, espionage, sabotage,theft and the legal
(29:36):
ramifications that willassociate with each of those,
and you need to understand thatfrom a standpoint of how does
espionage?
If I have corporate espionage,how does that potentially impact
my company?
What would happen if one of myvice presidents is charged with
espionage.
What if I have an employee thatputs a logic bomb within my
(29:57):
company and sabotages theoverall infrastructure of my
company?
How do I deal with that?
You're going to need toconsider all of those different
aspects, and if you don'tconsider it now, you will when
someone actually does it withinyour company.
So, adhering to data breachnotification laws these are a
big one you need to understand.
When do you have to tellsomebody that yes, I've had a
issue within my organization?
(30:18):
This comes down to defining whatis an event, what is an
incident.
If they need to use the termbreach, what is a breach?
And you need to define each ofthese in each of the areas that
you work in.
So, then, it may vary fromstate to state and also by
vertical, such as if you're inthe financial industry versus in
the manufacturing industry.
Each of those are verydifferent.
(30:40):
I know dealing with right now,working with financial
institutions.
72 hours is what they had, andin some cases, it could be 24
hours, so it's really importantthat you have a plan on how
you're going to deal with it.
You need to ensure properevidence collection and
preservation for legalproceedings using digital
forensics.
You need to have a plan on yourevidence collection and if you
(31:02):
don't have that plan, you needto start considering that within
your company.
And if you don't have the legalteams, maybe go talk to your
legal teams and ask them howshould we do this?
If they may come to you and saywe don't understand how to do
it, you may have to develop thatNow.
Again, that comes back to ifyou don't know.
Tell them that, say maybe weneed to hire a third party to
help us do this, or give me sometime to figure that out, and
(31:24):
then we'll come back to you.
Licensing and intellectualproperty requirements.
So compliance with softwarelicenses Is your organization
following those.
This helps avoid legal disputesand ensures you have legitimate
software within your company.
Protecting intellectualproperty I did this for my
company and it's a challenge.
It really is Such as patents,copyrights, trademarks all of
(31:46):
those things need to beprotected.
And then you need to be able toprovide guidance to your legal
counsel on what should beprotected, and in some cases
I've worked with them to letpatents go.
They go.
When would we need this?
And I might talk to them abouthow do you want this data stored
?
Who owns the patents All ofthose different aspects around
copyright and patentinfringement was visited with
(32:09):
many of my legal team when I wasdoing IP protection.
You also need to understand thelegal frameworks for IP
enforcement in the digital realmAgain understanding how these
legal frameworks work and thenhow you're going to ensure that
you are protecting theintellectual property of your
organization.
Import and export controls sothere are times when you may
send data or send intellectualproperty to another country.
(32:31):
What are the import and exportcontrols with this?
And this is where you adhere tothe national and international
regulations governingimport-export, especially of
cryptographic technologies.
So if you're going to besending over some sort of
encryption to China, what arethe rules and regulations around
that and is there anysensitivity to it?
You need to make sure that youmeet those compliance
(32:52):
requirements for these traderestrictions and sanctions lists
and you need to work with yourcompliance teams on doing that.
Like I mentioned before, youneed to have a very strong
relationship with yourcompliance and legal teams to
help you in this overall process.
Transborder data flows this iswhere you're complying with laws
and regulations that govern thetransfer of data across
national borders, especially asit relates to personal data and
(33:18):
government secrets.
I can't tell you enough that ifyou don't have a plan around
transborder data flows, it'sgoing to bite you someday.
So if you have an internationalbusiness, if you have a global
business, you really truly needto consider this.
And so when you go for, one ofthe first things as you start
into a company is starting tounderstand where are all the
data flows, where are they allgoing and what kind of data is
going to these locations.
A friend of mine mentioned tome many years ago it's all about
(33:40):
the data and it really truly is.
And you understand these datalocalization requirements and
mechanisms for lawful datatransfers.
This happens a lot with GDPR.
Is the data sitting in?
And you understand these datalocalization requirements and
mechanisms for lawful datatransfers.
This happens a lot with GDPR.
Is the data sitting in Europe?
How are you transferring thedata out?
Is it anonymized?
Is it encrypted?
What is being done with it?
Those are your trans-borderdata flows.
Privacy you need to meet theethical and legal obligations
(34:02):
required for its collection,potential storage and any sort
of processing of PII.
Again, there's that term, againPII, but you're going to have
to understand.
Do you have differentobligations in place to keep it
when you work with yourcompliance folks.
They're going to help you withthis, but they're also going to
come back to you and ask youquestions around what would you
(34:23):
recommend?
You're going to have to knowthose on what you should be
doing.
Comprehensive privacyregulations such as GDPR and
also CCPA.
Again, privacy core you need toimplement core privacy
principles like dataminimization, purpose
limitations, consent andindividual data rights.
Again, it comes back to privacyis a huge factor.
You need to consider privacywithin everything that you do
(34:45):
and it should be almost comingoff your lips as synonymously as
when you're talking aboutsecurity.
They are very important thatboth of those are tied together.
So that's all I've got today forthe CISSP Rapid Review Exam
Prep.
This is over Domain 1.
And now you can join me again.
On Thursday You'll get thesecond half of this Domain Prep
and it's going to be availableto you.
(35:06):
It's awesome.
You can actually see the wholething on my website or you can
go to youtube.
It's out there as well, but allof that stuff is available.
Go go to cisspcybertrainingcom.
Check that out all the freecontent that's available.
There's even more coming herein the near future.
Also, get my paid content.
I have lots of paid contentthat's there.
With that you get helps you walkyou through the cissp.
(35:28):
There's cissp questions.
There's the overall blueprintto walk you through step by step
.
It's designed to help you,guide you through the cissp, and
so you pass it the first timeand don't do what I did and pass
it the second time or the thirddepends, but it doesn't matter
how long it takes for you topass it, just pass the test all.
Thanks so much and we'll catchyou on the flip side, see ya.
(35:49):
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia ofcontent to help you pass the
(36:11):
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Cybersecurity knowledge Allright let's get started.
Speaker 2 (00:31):
Good morning everybody.
It's Sean Gerber with CISSP,cyber Training, and hope you all
are having a beautifullyblessed day today.
Today we're going to be doingsomething just a little bit
different with the CISSP.
So typically on Mondays I havea CISSP domain and then I have
the questions that are going tofollow up on Thursday.
But this week we're going to dosomething just a tiny bit
different.
So I have created a CISSP rapidreview that's available for
(00:51):
folks.
You can go to YouTube or youcan go to my website and you can
download it and look at it andit's pretty awesome and it's a
rapid review over domains one,two, three and so forth on all
the domain eight.
But this is going to be therapid review of domain one, and
so it's going to be a two-partseries.
We've got one that's going tohit today.
Obviously, the first part ofdomain one and then the second
(01:12):
part will hit on on thursdaywill be the second part of
domain one.
Now the plan is is that thiswill hit this week and the next
week I'll get back to what I wasdoing and then I'll another one
for domain two will come outand we'll do that as well.
So the ultimate goal is notchanging anything of what we do
for CISSP Cyber Training.
It's actually going to give youthe rapid review.
It's going to go over domainone and the design of it is so
(01:33):
that, as you're getting closeand getting ready for your test,
you can go through this rapidreview questions and are not
questions but content and thenyou can kind of feel about how
are you feel comfortable withright, with domain one, how do
you feel with domain two?
It gives you just an idea ofwhere you're at in a review
process of it.
So there'll be all eight ofthem will be available to you
(01:53):
and it'll be approximatelyprobably between all of it,
around eight to nine hours ofactual content that's available.
So it's gonna be pretty cool.
I hope you enjoy it.
Uh, this will be the first.
One will be about 30 minuteslong and the second one by about
30.
Domain one, or domain two, is abit shorter.
Obviously that's a smallerdomain and there isn't many
questions tied to it, but thosewill be coming here and you'll
be seeing those in the future.
(02:13):
But before we get started withthat, I want to just kind of
walk you through an area that Isaw, an article that was around
stopping ransomware in itstracks with exfiltration
prevention.
Now, this is one of the thingsthat I think is really important
.
Is you obviously they want todo the destruction piece of this
, but a lot of times, folks,they have to get the data out of
(02:34):
your organization to utilizethe overall blackmail aspects of
it, and this will help be.
I mean, obviously, thedestruction part is a big factor
in any organization, and havingit destroy your data and then
not having the backups or all ofthat whole drama that goes with
it.
From the 2025 Verizon DBIreport is that 90% of ransomware
(03:07):
attacks it did involve somelevel of data exfiltration.
So if you can stop that, that'sa huge part.
The statistics that came withit also said in 2023, there was
up from 85% and then, which wasinteresting is in 2019, when a
lot of this started, it was at10%, and then, which was
interesting, is in 2019, when alot of this started, it was at
10%.
So data exfiltration obviouslyis a huge factor for any sort of
(03:29):
organization, especially whenyou're dealing with a ransomware
type attack.
Now, one of the things theyrecommend that you do, obviously
, is you monitor for abnormaldata movement using DLP or NDR,
your network detection responsetype of equipment that you may
have within your organization.
One of the things that is anissue that people do run into is
(03:51):
a lot of the traffic that isexfiltrated is exfiltrated via
encrypted channels.
So you may have to invest insome level of decryption
capability to really allow youto be able to capitalize upon
that.
But having large numbers,having something that can verify
that there's actually dataleaving in substantial numbers,
would be also valuable.
So you may not be able to seethat the exfiltration is
(04:12):
occurring because of encryption,but if you can see actual size
of data that's leaving, theactual, no kidding volume, that
may give you a trigger that yourdata is trying to leave the
organization.
You need to restrict filetransfer tools.
Obviously, such as WinSCP orany sort of raw type of
activities, don't allowexfiltration of data from normal
(04:33):
activities.
So you're going to have toreally work with your teams to
understand that they also useimmutable or encrypted backups.
Obviously, the encryptedbackups are an important part.
So if you do any sort of backupactivities and they're making
them immutable, uh, basicallyyou write once and read many
that that's an incredible partof where I've seen it that folks
(04:54):
will install the ransomwareinside the backups and then,
when they're encrypted, they areor they're tampered with it on
the way up, as it's going tobeing set to the backup
locations so that that way, whenthey pull it down after an
incident has occurred, they nowhave the encrypted file within
their organization.
So you're going to need toreally make sure that you have
some good software in place thatwill look for malware ingested
(05:17):
or injected into the overallbackups, as well as ensuring
that you have immutable backupsto ensure that they're not
reinstalled with malware.
Obviously, having strongidentity and access management
to include multi-factorauthentication is a really good
way to limit the access and stopsome sort of credential abuse.
And then, if you can, adopt azero trust.
Now I will say the zero trustpiece of this is an easy word to
(05:40):
say.
It's an easy bumper sticker.
Adopt zero trust.
That's what they talk about inthe article.
We all know that adopting zerotrust within your organization
is extremely challenging and Iwould say in some places it's
probably impossible.
But adopting zero trust incertain areas within your
organization is definitelydoable, and it could also look
at it as the hospital you neverget out of where you go within
(06:03):
one part of your organizationyou start to implement Zero
Trust and then in another part,you open it up or you will
install it or install is not theright word but you'll deploy it
as time goes on in another partof your organization.
So kind of, keep that in mind,zero Trust.
I really want to do a podcast onthat specifically, because
there is a lot of value that canbe had from zero trust.
(06:25):
But as an architect, you knowthere's no way.
No way is not the right word.
There's highly unlikely thatyou're going to be able to
deploy this completely throughyour organization without
destroying a lot of stuff andwithout having a significant
amount of buy-in from seniorleadership.
So it can be done, it is beingdone.
It's just I don't see it doneon mass scale and but you know
(06:48):
what?
And to pull it through yourorganization and that.
You can prove me wrong, whichwould be awesome.
So, that being said, that's agreat part about the article.
I would highly recommend youread it.
Um again, kind of start, and Iwould recommend reading these
articles to give you some kindof juices in your brain as
things are occurring within yourorganization.
You go oh yeah, what about that?
Oh yeah, there's been a lot ofdifferent security mechanisms
(07:11):
that I put within myorganization, because I was
reading articles like this andgoing, wait a minute, can we do
this really easy?
Can we do this simply?
Can we do a part of this?
And that is a really, reallygreat thing to do.
It also is something that youshow your senior leaders in my
case, with my CIO and my CFO ofthat.
You are constantly thinkingabout new options for the
(07:32):
organization and how to bestprotect it.
They won't always buy into it,but at least you're thinking
about it and you're trying tobetter protect your organization
.
So now that's all I've got foryou on the article side, but
let's roll into the rapid reviewfor domain one.
Hey, all it's Sean Gerber withCISSP Cyber Training and this is
(07:52):
the CISSP rapid review examprep covering domain one
security and risk management.
So this is the questionbreakdown per domain and we're
going to start this off withdomain one, and domain one, as
you can see, is about 15% of thequestions are coming out of
domain one for the CISSP exam.
Now, as you look at this and aswe go through this rapid review
(08:14):
, you're going to see domain onehas a lot of content in it and
therefore that's why they have15%.
As some of the differentdomains have less content, then
they have less percentageinvolved with the overall
questions.
But overall, if you look atthis, it's pretty well evenly
stacked between all the variousdomains from basically as low as
10% up to as high as 15%.
(08:36):
So the bottom line in all thisis you're going through this
rapid review.
One of the things you can askyourself is how am I
understanding this content view?
One of the things you can askyourself is how am I
understanding this content?
So if you go to CISP CyberTraining and you try some of the
quizzes and you go you knowwhat I'm getting these really
well, then don't maybe not takeas much emphasis and much time
on studying those as you wouldon areas that you struggle with.
(08:57):
I have some of my studentsstruggle with the software
development aspects of this, andso, because of that, I would
recommend you spend 80% of yourtime on the 20% that you
struggle with.
So, if you look at theinfographic to the right again,
devote 80% of your time to the20% you struggle with.
It's the 80-20 rule.
However, that does not mean youignore the last 20% of going.
(09:20):
Yes, security and riskmanagement, I get it, it's good,
so I'm not going to study it.
Not a great idea, that's a badidea.
But it does mean the fact that,as you go through my course, I
have a blueprint that'savailable to you on CISSP Cyber
Training that will walk youthrough step-by-step, the book,
all of those things.
But as you go through thosedifferent steps, you may go you
know what I've got this, andthen, as you move to another
(09:42):
area, I don't.
So when you get through theentire book, then the aspect is
is come back to the areas thatyou feel that you have the most
that you're the most weak in,and so again, ultimate goal is
to focus on the areas that youcan do your best in, but also be
able to focus on areas that youdon't understand the content
and you want to spend more timeon it.
(10:03):
So that's about basically whatI want to break down with this.
So we're going to get intodomain 1.1.
And this is.
There's basically 13 differentsubdomains tied to section or
domain one, I should say.
And so the first one is goingto be professional ethics.
So as you study the book andyou're gone through the book and
the different trainings thatare available to you, you're
looking at what are theprofessional ethics and how does
(10:25):
this work.
Well, these are the code ofprofessional ethics from ISC
squared.
They have this defined withinthe book and there's various
canons that are associated withit.
There's four specific canonsand the goal is to one.
The first one is to protectsociety, the Commonwealth and
infrastructure.
The second is act honorably,honestly, justly, responsibly
(10:46):
and legally.
The third is to providediligent, competent services to
the principals.
And the fourth is to advanceand protect the profession.
So all of those have a veryimportant part in the overall
professional ethics of the CISSP, but mainly in cybersecurity as
well.
The things you're going to belearning in as a security
professional is that you have alot of power potentially in the
(11:06):
capabilities you have, andtherefore you need to use these
skills that you have inprotecting society.
They're going to be looking toyou on how do I use these skills
to be able to protect criticalinfrastructure, to be able to
protect banks, to protectpeople's individual livelihood,
and so therefore, that's animportant part of this.
They also want you to acthonorably and justly and
(11:29):
honestly.
Because you know thisinformation, it's very easy for
people to come to you and go hey, what do you think about this?
Well, you could go.
You know what?
Yeah, I can take care of that.
I know exactly what you think,what you need.
That is not the right answer,and the reason is is because you
don't know everything and nowyou may have to get some more
information on it.
You may want to come back andsay, hey, I can help you, but I
(11:50):
need to get a little bit moreinformation before I do that.
They also want you to providediligent and competent services.
Don't kind of just gloss overstuff you could be able to get a
lot of information from peopleand therefore then you can
potentially help them.
But if you don't do it in a waythat will help them correctly
and you just go, yeah, I can dosome security services for you,
throw some pixie dust at it, seewhat happens and you know what,
(12:12):
that won't work.
It may give them something andthey may pay you some money for
it, but in reality that's justnot the way you should be doing
business.
And then, lastly, is advanceand protect the profession.
That's what we're doing righthere, is that we're advancing
and protecting the profession inthe fact that we're providing
services to you to be able touse them so you can become
security professionals on yourown.
(12:33):
So again, those are the fourcanons tied to the ISC squared
professional ethics, now theorganizational code of ethics.
These are specific rules set upby the company and that's their
values that'll help guide anddirect employee behavior.
Now this comes into practicalguidance for daily ops, policies
and procedures, different typesof things that your company's
(12:53):
going to put forth to helppeople with making ethical
decisions in what they want todo and what they want them to do
on a daily basis.
It helps in theirdecision-making process.
One example, might beacceptable use policies.
You're going to have a policyfor acceptable use and you're
what you want your employees touse company-related assets but
if you don't tell them to do it,they go and start surfing bad
(13:16):
sites and what ends up happening?
Well, they introduce malwareinto your organization.
So one your morals or yourthought process is not being
spent on your employees becausenow you don't have policies in
place to do that.
So, again, those are the highlevel principles that you need
to put in place as a securityprofessional.
It also helps reinforcecompliance, fosters trust and
(13:37):
then helps mitigate any risksrelated to employee misconduct
or negligence.
Again, like I mentioned before,if you don't have a good,
acceptable use policy, youremployees will just go use their
computers on whatever they seefit, or give it to their kids,
and their kids will use it.
I've had to deal with thatbefore.
And then how do you deal withthose situations?
So the ultimate point is thisis what your organizational code
(13:58):
of ethics are and theimportance of them.
Domain 1.2, this is applyingsecurity concepts.
So there's a couple differentfacets of the domain 1.2.
We're going to kind of go intoeach of those here in just a
second, so we're going to startoff with the CIA triad, and this
is confidentiality, integrityand availability so you hear a
(14:20):
lot about that as you've beenstudying for the CISSP exam and
confidentiality this helpsensure that the information is
accessible only to authorizedindividuals and it prevents
unauthorized disclosure ofsensitive data.
So you're ensuring that thedata is confidential, that
nobody else can see it and thatit's only accessible by those
that are authorized to actuallyhave access to it.
(14:41):
Some things that can be usedfor confidentiality would be
encryption, access controls,data classification and various
privacy policies as well.
All of that is tied toconfidentiality.
Integrity this helps maintainthe accuracy and completeness of
the data.
So if you have your data that'sin a log storage facility, you
want to ensure that no onetampers with it.
(15:02):
Okay, and if that, no one cantamper with it, it helps ensure
the integrity of the data andhelps ensure that it's complete
and it's consistent.
It also protects againstunauthorized modification or
destruction, which is one of theareas that the hackers may go
after is looking for this typeof information and therefore
having the ability to destroy itor manipulate it in a way that
(15:23):
hides what they've been doing.
So examples of this are hashing, digital signatures,
maintaining and managing versioncontrol, and then access
controls and change management.
All are tied to the integritypart of domain 1.2.
All are tied to the integritypart of domain 1.2.
Availability guarantees thatauthorized users have timely and
uninterrupted access toinformation and resources.
(15:44):
It also ensures that systemsand data are operational when
needed.
So the ultimate point of thisis that it's available to people
.
If people turn on theircomputers, they have access to
it, they have access to the datathat they actually need and
they're authorized users forthat specific data.
So a good example of how thiscould be affected would be a
denial of service attack andthat would define or that would
(16:07):
stop you from havingavailability.
So you have different ways tocreate this and protect this
through redundancy, faulttolerance, backup and recovery
and disaster recovery plans,competency, fault tolerance,
backup and recovery and disasterrecovery plans.
All of those pieces all fitinto the availability piece
around the cia triad.
Authenticity now this is a partthat verifies the identity of
the user in the process, in thesystem, and it confirms that the
(16:30):
information or resource isgenuine, and this is something
that we deal with in the aiworld, too is now do you know
that those pictures are genuineor not.
That's really hard to tellsometimes, but the ultimate goal
, though, is is that thisverifies that the user, the
process or the system isauthentic.
And how does this done?
This is done through passwords,multi-factor authentication,
(16:51):
digital certificates andbiometrics.
So you want to make sure thatthat it's not.
You want to make sure that, butthey it's.
The design is that, when youhear people talk about
authenticity, is that you havethe different controls in place
to ensure that these things areauthentic.
Your password aren't beingpassed the hash and they're
being passed on to somebody else.
You have digital signatures toverify that certain equipment is
(17:12):
whose it belongs to.
What are the biometricsassociated with your eyes right?
All of those aspects are aroundauthenticity Non-repudiation.
This helps provide undeniableproof that there's a specific
action or event that hasoccurred and prevents any party
from falsely denying it.
So the ultimate point is that,with your non-repudiant, if I
(17:34):
come in and I say I am Brad Pitt, well, you all know that that
is not true by any stretch ofthe imagination, but this
provides undeniable proof that,when you have the documents that
are there and you have yourdata that is there, it's
undeniably proven that you, thisspecific action or this data
belongs to these specificsystems systems.
(17:58):
It also ensures the sender of amessage or the performer of an
action cannot later come backduring an interview or during
some sort of legal situation andsay, no, I didn't do that or I
did do that.
The point of it is that toensure that there's consistency
and that you can't deny thatthis email or action was done by
this person we talked aboutsome of the examples.
You had digital signatures, youhave logging and monitoring
(18:20):
that's available, and then youhave third-party timestamps that
are set up specifically.
Now can all this stuff bespoofed?
Yes, stuff can be done to it tohelp obfuscate it, but the
ultimate goal is that you createa system, as a security
professional, to take intoaccount all of these different
aspects.
Your CIA triad, yourauthenticity and non-repudiation
(18:43):
are all pieces that you need toconsider when you are deploying
cybersecurity solutions.
Okay, so, domain 1.3, securitygovernance principles.
So the ultimate goal in thissubsection is to kind of get
into different areas aroundgovernance.
So the alignment to businessstrategy goals, missions and
objectives.
Now your security efforts mustdirectly support and enable the
organization's core mission,strategic goals and then not to
(19:06):
operate in isolation.
I see this a lot.
So when you're doing yoursecurity capabilities within
your company, that you areoperating in tandem with
different aspects of yourcompany, such as legal
compliance, other parts ofsecurity and IT, you are not in
a vacuum.
You're not in a stovepipe Idon't even really know how many
(19:27):
people would ever get into astovepipe but bottom line is
you're not operatingindependently and you're working
as a team.
This ensures that your securityinvestments are prioritized
based on business value and risktolerance.
You're going to see this, as asecurity professional, that a
lot of times you're going to gowell, you have a budget.
I don't have a budget.
What should I do with my budget?
You're going to come down tothe fact that you have to show
and equate what risk is beingmitigated with the investments
(19:49):
that these security folks areputting forward.
What is the business value?
And, as security people sooften we do not always talk to
the businesses and want to workdirectly with them you are going
to have to do that.
It's imperative that you, as asecurity professional, are
working with your businesses andwith your other leaders within
your company To one understandthe risk and then to put things
(20:10):
in place to either accept it orto mitigate it.
Those are different pieces thatyou're going to have to work
through.
Now the organizational processesthis deals with acquisitions
and divestitures.
Now some securityconsiderations need to be
integrated in all of theseaspects when you're looking to
bring on a company or you'relooking to sell a company.
I've been through many, manyacquisitions and divestitures
(20:31):
and if you don't have securitybaked in at the beginning, it
gets very messy about six monthsto a year down the road.
So you have to consider that.
And for acquisitions, you needto conduct thorough
cybersecurity due diligence onthe target companies.
I had a sale.
It was going to be a purchasinga company.
I brought forward some of theissues that they had with
acquiring it related to security, and that wasn't the only
(20:54):
reason.
But at the end of the day, wedidn't acquire the company and
it was due in part to what wehad provided from a
cybersecurity standpoint.
Now divestiture same thing youneed to have a good separation
of your systems and data, toinclude data sanitization for
the fact that you're going tosell your company off, and it
needs to be built into this.
So as you go into anorganization and you look to go
(21:16):
all right, what do we have inplace and then you start putting
your data in segregated buckets, knowing full well that
potentially, some of thesebusiness units might be sold.
You need to consider that andwork with your business leaders
to figure out how is the bestway to make that happen.
Now, governance committees youneed to establish formal
committees.
These are security, steeringcommittees, maybe working groups
(21:37):
, risk committees.
These all have clear charters,roles and responsibilities and
what they're going to do for theorganization and they will
provide strategic oversight andapprove and improve the security
policies of your organization.
Now, I've dealt with manyworking groups before and these
working groups are set up thatone of that are very good and
(21:59):
some that I've set up that arenot very good.
You need to really understandwhat you're trying to accomplish
with the working group and thenwhat is the clear charter on
what it's supposed to do.
So those are really importantaspects and I deal with this on
a daily basis.
So it's imperative that youkind of think about this now
while you're studying for yourCISSP.
So it's imperative that youkind of think about this now
while you're studying for yourCISSP, because you will be
(22:19):
dealing with this on a dailybasis, guaranteed Okay.
So part two is going to bearound organizational roles and
responsibilities.
You need to clearly define anddocument your cybersecurity
roles.
This would be your CISO, yourdata owners, data custodians,
and even the CISSP book goesinto great detail around each of
those.
You need to define each ofthose areas within your company
(22:40):
and I highly recommend the dataowner and data custodian get
that worked out really well.
The data has legs.
It will sprawl and if you don'tdefine who are the owners and
who can manage it, it's going tohave all kinds of issues and
you won't deal with it evenshort term.
You'll deal with it long term.
So it's an important part todefine these capabilities
(23:04):
situations.
You also ensure propersegregation of duties to prevent
conflicts of interest andreduce the risk of fraud or
error.
And again, segregation ofduties is so important.
I had one time where there wasa security professional and he
was our cloud person as well andhe had rights to everything
under the sun.
That was a bad idea.
Uh, we able to get thatseparated and configured to come
differently so that he didn'thave all that that power.
(23:26):
But you need to ensure propersegregation of duties on almost
everything you do and when youtalk about this to application
owners ask them thatspecifically, what are your
segregation of duties orseparation of duties as well?
You'll hear it both termsseparation of duties or sod, and
segregation of duties.
Bottom line is ensure youseparate stuff.
I think, if I said that, enoughsecurity control frameworks.
(23:48):
There's various frameworks thatyou need to follow, and what is
a framework?
Well, a framework is justbasically a guidance or
guidepost to help you with aoverall process.
So, as an example, co-bit.
All these are differentframeworks that are designed to
kind of step you through.
What are the things you need tothink about related to security
(24:09):
?
So, if you've got a certainarea and access identity and
access management how do youmanage your identities?
You have an area aroundgovernance.
How do you manage yourgovernance?
There's different types offrameworks.
I've been working with a bankrecently and we're using the cri
framework, which is focusedspecifically around financial
institutions.
So those are different onesthat you can use for your
company.
(24:29):
They provide a structured,comprehensive approach to
managing and improving theorganization's cybersecurity
posture and they give you justkind of, like I said before,
guideposts to kind of help youwalk through it.
Due care and due diligence.
Now you need to reallyunderstand the difference
between the two.
So due care is where you actprudently and responsible, as a
air quotes prudent person woulddo.
Now.
(24:49):
You'd protect the corporation'sassets, their information, and
this level of care is where areasonable person would take
under the circumstances.
So your reasonable persontheory I try to go back to.
You need to consider that inalmost everything you do Now,
due diligence is that youperform reasonable research,
(25:13):
investigations, analysis toensure that you have the facts,
what you need to help makeinformed and really good
financial decisions.
Before basically jumping intoanything, you want to make sure
you've done the diligence toensure that that's been done.
This often precedes the duecare.
What it means is that you havedone the research to make sure
you have everything you need sothat when you actually go make
the decision, you have doneeverything that a prudent person
(25:34):
would do.
So due diligence and due care,domain 1.4, compliance and other
requirements this is dealingwith contractual, legal,
industry standards andregulatory requirements.
So we're going to break downeach of these real quickly.
So legal you adhere to nationalinternational laws impacting
(25:54):
data.
So if you have business that'ssomewhere around the globe, you
need to make sure that youunderstand the country that
you're in, their laws related todata breaches, data traversing
or data transferring, differentpieces around.
What happens with the data?
Is it protected to be encryptedwhile it's at rest?
All of those aspects need to beconsidering when you're dealing
(26:15):
with the legal aspects of it.
You also need to comply withinthe regulatory pieces of this.
This is specific industryregulations, so you would have
GLBA for financial services,nydfs for financial institutions
.
Are you following any sort ofrequirements within the European
Union?
Do you have Chinese dataprivacy laws?
Are you following theregulations specifically for
(26:37):
that location?
And then industry standards.
You need to make sure that youconform to the best practices
and benchmarks that have beenprovided, such as PCI DSS, iso
27001, the NIST cybersecurityframeworks.
Are you conforming to those?
Now, one thing I ran into whenI was a CISO is that I would
force or require third parties,that's, companies outside of my
(27:00):
company, to be either ISO 27001certified or, if they can prove
to me through attestation thatthey are meeting 27001, I would
kind of push them down that path.
Why?
Because then I knew they wereat least following some sort of
framework when they were goingforward.
Contractual aspects you'remeeting security obligations
defined in the agreements withthe customers, vendors and
(27:22):
partners, and you need to meetand exceed those contractual
agreements that you have withthese people, and that's another
part around compliance andensuring that you're doing that.
This ensures that allorganizations will avoid fines,
legal penalties and any sort ofreputational damage, because all
of these things can have a hugeimpact upon you and your
(27:42):
company.
Now, privacy requirements theseare protecting personal
identifiable information.
Now, a friend of mine incompliance said they don't
really use PII as a name anymore, but I'm telling you that most
likely, the CICP is going to askyou PII, and this is personal
identifiable information, so youneed to remember that term, but
you may run into differenttypes of terms of that when
(28:03):
you're out in the real world.
You want to adhere to globalprivacy laws such as GDPR, ccpa
all of these different privacylaws that are in place.
You, as a security professional, need to adhere to those, and
that comes back to the overallethics, like we talked about
before.
Now you implement principleslike privacy by design, data
minimization and purposelimitations these different
(28:26):
principles that are out there.
You need to basicallyunderstand those.
You need to have establishedclear consent mechanisms and you
need to understand individualrights to their data.
Do they want to be forgotten?
Do they want to have a right toaccess?
You need to understand theregulations that are within the
company that you're operating inand the regulations within the
country that you're operating inthat you are meeting these
(28:49):
types of situations.
You're meeting their datarights, you're meeting their
understanding around where theyshould do with the data and how
it should be stored, and thisrequires robust technical and
organizational measures toensure data confidentiality and
user trust.
So, again, you want to havetechnical and organizational
controls in place to ensure thatpeople are happy with what
you're doing.
It's nothing worse than to sayif someone's giving you their
(29:12):
information and they come tofind out that you're not
properly protecting it, it doeserode the trust of the
organization and of you, so youneed to really have a good plan
on how you're going to managethat.
Okay, so domain 1.5, legal andregulatory issues.
Now you need to understand thevarious types of cyber crimes,
from fraud, espionage, sabotage,theft and the legal
(29:36):
ramifications that willassociate with each of those,
and you need to understand thatfrom a standpoint of how does
espionage?
If I have corporate espionage,how does that potentially impact
my company?
What would happen if one of myvice presidents is charged with
espionage.
What if I have an employee thatputs a logic bomb within my
(29:57):
company and sabotages theoverall infrastructure of my
company?
How do I deal with that?
You're going to need toconsider all of those different
aspects, and if you don'tconsider it now, you will when
someone actually does it withinyour company.
So, adhering to data breachnotification laws these are a
big one you need to understand.
When do you have to tellsomebody that yes, I've had a
issue within my organization?
(30:18):
This comes down to defining whatis an event, what is an
incident.
If they need to use the termbreach, what is a breach?
And you need to define each ofthese in each of the areas that
you work in.
So, then, it may vary fromstate to state and also by
vertical, such as if you're inthe financial industry versus in
the manufacturing industry.
Each of those are verydifferent.
(30:40):
I know dealing with right now,working with financial
institutions.
72 hours is what they had, andin some cases, it could be 24
hours, so it's really importantthat you have a plan on how
you're going to deal with it.
You need to ensure properevidence collection and
preservation for legalproceedings using digital
forensics.
You need to have a plan on yourevidence collection and if you
(31:02):
don't have that plan, you needto start considering that within
your company.
And if you don't have the legalteams, maybe go talk to your
legal teams and ask them howshould we do this?
If they may come to you and saywe don't understand how to do
it, you may have to develop thatNow.
Again, that comes back to ifyou don't know.
Tell them that, say maybe weneed to hire a third party to
help us do this, or give me sometime to figure that out, and
(31:24):
then we'll come back to you.
Licensing and intellectualproperty requirements.
So compliance with softwarelicenses Is your organization
following those.
This helps avoid legal disputesand ensures you have legitimate
software within your company.
Protecting intellectualproperty I did this for my
company and it's a challenge.
It really is Such as patents,copyrights, trademarks all of
(31:46):
those things need to beprotected.
And then you need to be able toprovide guidance to your legal
counsel on what should beprotected, and in some cases
I've worked with them to letpatents go.
They go.
When would we need this?
And I might talk to them abouthow do you want this data stored
?
Who owns the patents All ofthose different aspects around
copyright and patentinfringement was visited with
(32:09):
many of my legal team when I wasdoing IP protection.
You also need to understand thelegal frameworks for IP
enforcement in the digital realmAgain understanding how these
legal frameworks work and thenhow you're going to ensure that
you are protecting theintellectual property of your
organization.
Import and export controls sothere are times when you may
send data or send intellectualproperty to another country.
(32:31):
What are the import and exportcontrols with this?
And this is where you adhere tothe national and international
regulations governingimport-export, especially of
cryptographic technologies.
So if you're going to besending over some sort of
encryption to China, what arethe rules and regulations around
that and is there anysensitivity to it?
You need to make sure that youmeet those compliance
(32:52):
requirements for these traderestrictions and sanctions lists
and you need to work with yourcompliance teams on doing that.
Like I mentioned before, youneed to have a very strong
relationship with yourcompliance and legal teams to
help you in this overall process.
Transborder data flows this iswhere you're complying with laws
and regulations that govern thetransfer of data across
national borders, especially asit relates to personal data and
(33:18):
government secrets.
I can't tell you enough that ifyou don't have a plan around
transborder data flows, it'sgoing to bite you someday.
So if you have an internationalbusiness, if you have a global
business, you really truly needto consider this.
And so when you go for, one ofthe first things as you start
into a company is starting tounderstand where are all the
data flows, where are they allgoing and what kind of data is
going to these locations.
A friend of mine mentioned tome many years ago it's all about
(33:40):
the data and it really truly is.
And you understand these datalocalization requirements and
mechanisms for lawful datatransfers.
This happens a lot with GDPR.
Is the data sitting in?
And you understand these datalocalization requirements and
mechanisms for lawful datatransfers.
This happens a lot with GDPR.
Is the data sitting in Europe?
How are you transferring thedata out?
Is it anonymized?
Is it encrypted?
What is being done with it?
Those are your trans-borderdata flows.
Privacy you need to meet theethical and legal obligations
(34:02):
required for its collection,potential storage and any sort
of processing of PII.
Again, there's that term, againPII, but you're going to have
to understand.
Do you have differentobligations in place to keep it
when you work with yourcompliance folks.
They're going to help you withthis, but they're also going to
come back to you and ask youquestions around what would you
(34:23):
recommend?
You're going to have to knowthose on what you should be
doing.
Comprehensive privacyregulations such as GDPR and
also CCPA.
Again, privacy core you need toimplement core privacy
principles like dataminimization, purpose
limitations, consent andindividual data rights.
Again, it comes back to privacyis a huge factor.
You need to consider privacywithin everything that you do
(34:45):
and it should be almost comingoff your lips as synonymously as
when you're talking aboutsecurity.
They are very important thatboth of those are tied together.
So that's all I've got today forthe CISSP Rapid Review Exam
Prep.
This is over Domain 1.
And now you can join me again.
On Thursday You'll get thesecond half of this Domain Prep
and it's going to be availableto you.
(35:06):
It's awesome.
You can actually see the wholething on my website or you can
go to youtube.
It's out there as well, but allof that stuff is available.
Go go to cisspcybertrainingcom.
Check that out all the freecontent that's available.
There's even more coming herein the near future.
Also, get my paid content.
I have lots of paid contentthat's there.
With that you get helps you walkyou through the cissp.
(35:28):
There's cissp questions.
There's the overall blueprintto walk you through step by step
.
It's designed to help you,guide you through the cissp, and
so you pass it the first timeand don't do what I did and pass
it the second time or the thirddepends, but it doesn't matter
how long it takes for you topass it, just pass the test all.
Thanks so much and we'll catchyou on the flip side, see ya.
(35:49):
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia ofcontent to help you pass the
(36:11):
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.