August 4, 2025 • 41 mins
The cybersecurity landscape grows more complex each day, especially when it comes to protecting critical infrastructure. In this essential episode of the CISSP Cyber Training Podcast, Sean Gerber breaks down Domain 2 of the CISSP certification - a vital area representing approximately 10% of the exam questions that every security professional must master.
Sean begins with a timely discussion of the recently discovered Honeywell Experion PKS vulnerability that could allow remote manipulation of industrial processes. This real-world example perfectly illustrates why understanding industrial control security is crucial across all sectors - from energy and water treatment to manufacturing and healthcare. The vulnerability serves as a sobering reminder that patching isn't always straightforward in environments that operate 24/7/365.
Diving into Domain 2.1, Sean meticulously explains data classification fundamentals - how sensitivity levels are assigned based on business value, regulatory requirements, and potential compromise impact. He walks through the relationship between classification levels (public through highly confidential) and corresponding handling procedures. The podcast builds logically through ownership concepts, introducing essential roles like data owners, custodians, stewards, and asset owners.
Perhaps most valuable is Sean's practical exploration of asset inventory management. Drawing from his extensive experience, he shares surprising stories of servers found in bathroom closets and emphasizes why knowing your asset locations isn't just good practice - it's essential for incident response and vulnerability management.
The episode thoroughly covers the complete data lifecycle from collection through destruction. Sean explains data minimization principles, location considerations for sovereignty compliance, maintenance requirements, and proper destruction techniques. His discussion of data remnants highlights why simply deleting files is never sufficient for sensitive information.
Sean wraps up with crucial insights on end-of-life system management and data protection technologies including encryption, DRM, DLP, and Cloud Access Security Brokers. His rapid review approach efficiently condenses critical knowledge while maintaining depth where it matters most.
Whether you're preparing for the CISSP exam or seeking to strengthen your security program, this episode delivers actionable knowledge you can immediately apply. Visit CISSP Cyber Training for free study resources and take the next step in your cybersecurity journey today!
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Hey, I'm Sean Gerber with CISSPCyber Training and this is the
CISSP Rapid Review Exam PrepDomain 2.
So we're going to be talkingabout in the next few weeks
Domain 2 and Domain 3 of myRapid Review.
The Rapid Review goes over eachdomain, it goes out each of the
subdomains that are tied to itand it walks through what are
(00:45):
some of the key considerationsyou need to know for the CISSP
exam.
So we're going to be going overdomain two today and then we'll
be because domain two isrelatively small we'll be going
over domain three, part one andpart two, in the next week and a
half and we'll be covering allof those and then we'll get back
up to the regular role of CISSPquestions and the overall CISSP
(01:05):
domains after that.
But the goal is that rapidreview is to give you what you
need to help you pass the test.
It really is a great review ofwhat you should be knowing
around the CISSP and it's reallygood content.
The video will be available onCISSP Cyber Training.
So as you go through and youlisten to this on your way to
work and you go hey, let me gotake a look at that video, check
(01:27):
it out on CISSP Cyber Training.
They'll be being released heresoon, so those will all be
available to you as well.
Or you can go sign up on myemail list and once you get to
my email list, you'll actuallybe able to get access to all of
them and all of the questionsthat I have within the various
the free tier that I have over300 and actually probably close
(01:48):
to around 400, and somequestions will all be available
to you, as well as the rapidreview as well as supplemental
stuff.
It's all there at CISSP CyberTrading.
But before we get, let's moveahead and just go into what
we're going to talk about.
It's from the we've seen in thenews today, and then we'll go
in and get into domain two.
Uh, it's from the we've seen onthe news today, and then we'll
go in and get into domain two.
Okay, so we're going to betalking about on the news today
is the honeywell experian.
(02:09):
Pks flaw allows formanipulation of industrial
processes.
Now I don't know if you all areconnected with this.
We've talked about this a lotin cissp cyber training.
The honeywell experian is oneof many different types of
companies out there that willwork on the industrial control
environment.
You have Rockwell you haveEmerson, you have there's just
(02:31):
there's a bunch of other ones.
There's Siemens, you name it.
So there's a lot of differentcompanies that are in this space
, and the industrial controlsystems control pretty much
everything that is important tous today, from energy, chemical,
healthcare, water, you name it.
They're all in this space, andso understanding and having
security and knowing thesecurity around this is
extremely important.
(02:52):
One to help protect our worldthat we live in.
But two it's also important foryou to know, because you're
going to be dealing with thesesystems.
You may start off working at abank but then end up in a
manufacturing facility, soknowing all of these systems and
how they work is a reallyimportant part of your overall
cyber security journey.
So this pks system is theprocess knowledge system and it
(03:14):
controls automated solutionswithin the overall manufacturing
processes.
Now this this flaw came outlast week is when the sysa
brought it up, and bottom lineis they consider these as
critical and high severity andthey are impacting the control
data access component and canlead to remote code execution.
So what does this really mean?
(03:35):
The bottom line is is that ifthey went and go, or if they
went and tried to access thesesystems and they had access to
them.
They could control themremotely.
Tried to access these systemsand they had access to them.
They could control themremotely.
So if you're in a watertreatment facility, they could
add too much of somethingchemical in there that could end
up hurting people substantially.
If they're in a manufacturingfacility and they have chemicals
, like I used to deal with, theycould do a release on chemicals
(03:57):
that would potentially harmpeople from being released into
the atmosphere.
So again, all of those thingsare extremely important for you
all to know and understand.
So, again, all of those thingsare extremely important for you
all to know and understand.
So what do they ask you to do?
Well, bottom line is you needto do an update and fix, do a
patch to these systems to fixthe problem.
They say patch immediately andthen that's great, okay, well,
(04:18):
we're going to walk into thepatching immediately thing.
When it comes down to patchingin industrial control
environments if we've mentionedthis before, but we'll kind of
for those that might belistening to this new you cannot
always just go and say, well,hey, it's patch Tuesday, I'm
going to push it patch.
You can't always do that.
In many cases, you can't do itat all.
The reason is is because thesesystems are running 24 by 7, 365
(04:40):
.
They're running all the timeand they do not cannot afford to
go down, and so if they go down, there's a huge factor.
If they just go down, in somecases it can blow things up.
So there's a control process bywhich you would take parts of
the facility down, and if thesesystems are in a highly
controlled environment and theycan't be taken down because the
(05:03):
environment won't go down, thenthey may have to wait a while
before they can actually updatethem, put the fix in.
So it's important that one, youunderstand your manufacturing
places that you work with whereare all these critical systems
at and then also understandingwhen is their downtime, when
they're going to actually shutthe facility down and when could
you potentially put patches on.
(05:23):
I'll give you an example,though we didn't do down our, we
didn't do what they call aturnaround.
We didn't do a turnaround onceevery three years.
Now they do turnarounds inparts of the facility every year
, but it may not hit your areathat this is working in for once
every three years.
So it's really important foryou to have a good working
relationship with yourmanufacturing facilities and
(05:45):
understanding how this all works.
They also, once you get theupdate done, they want to also
recommend that you do segmentand isolate these networks.
Well, that's a no-brainer, andwe tell you that's a no-brainer,
but it is.
Most people don't do it.
Physically separate thesesystems from your business
(06:07):
network, or you have a softwaretype network connection that's
allowing you to have themsegmented.
This is called the Purdue modeland there's different ways
around that.
But the ultimate point is thatyou need to have a segment and
isolated control network setaside specifically for your
industrial control places.
Restrict user permissions,obviously keep the people that
aren't supposed to have access.
One way may be through ACLs inyour access controls.
(06:30):
Another one could be throughmulti-factor.
There's a lot of different waysto do it.
It comes down to is what doesthe network segmentation look
like and what does yourarchitecture look like with your
process control environment?
So again, big deal.
I highly recommend that if youare in the manufacturing space
and you have these variousHoneywell experience systems,
you get them updated and havecome up with a plan on how to do
(06:51):
that as fast as you possiblycan.
Okay, let's move on to whatwe're going to talk about today.
So, as we talked about lastdomain, this is domain two and
the questions that areassociated with it.
There's approximately 10% ofthe questions that you will see
on the exam are tied to domaintwo.
Now does that mean that you canget by and say you know what, I
(07:12):
don't need to study a domaintwo?
No, you need to study them all,and this comes down to the
80-20 rule, which we've talkedabout in the past is the fact
that you need to spend 80% ofyour time on 20% that you do not
know.
If you don't feel confidentwith that 20%, you need to spend
a lot more time on it.
That being said, you just alsoneed to know all the content,
not just the stuff that youdon't know very well.
(07:34):
But I wanted to put a littleplug out there.
If you go to CISSP CyberTraining, you can get access to
free resources that I haveavailable to you.
This will be weekly podcasts.
There's over 250 plus.
Now I have a three to fivemonth study plan.
That's there.
You have 360 study questions,there's a blog and also on
YouTube.
You can get access to all ofthis content.
It's not all curated.
It is curated on my site, butif you can get it in multiple
(07:56):
places.
If you want to get paidresources and say you need just
a little bit more and you wantsome maybe a step-by-step help
as it relates to the variouscontent of the CISSP book, you
can go to Get my Paid Resourcesand there's 36 plus hours
covering all of the domains ofthe CISSP.
There's 700 plus CISSPquestions.
(08:16):
There's curated audio and video.
It's all there available foryou.
I go into deep dive into areasas well.
There's virtual CISO IT support.
All of those pieces areavailable.
If you want that, just head onover to CISSP cyber training.
All right, so let's get startedabout what we're going to talk
about today.
So this is domain 2.1 and we'regoing to be getting into
(08:38):
identify and classifyinformation and assets.
So this is pulled out of theISE squared CISSP book.
This, this is all we're goingto walk through, all the things
that they are requiring of youto know that it's important part
of you to know for this domain.
And again, this is domain 2.1.
And we're getting into dataclassification and asset
classification here, juststarting off Now.
(08:59):
The purpose of dataclassification is to assign
sensitivity levels toinformation, determining the
appropriate security control forits protection.
Now this is focused on the CIAtriad, which is your
confidentiality, integrity andavailability, and we've talked
about a lot of this on thepodcast and in my training at
CISSP Cyber Training around thedifferent levels and what you
(09:20):
should be looking at Now.
These typically are focused onbusiness value and it may or on,
if it's in the government, onwhat could affect the government
from their standpoint of risk,and that comes down to secret,
top secret and so forth.
But they're based on businessvalue, potential legal and
regulatory requirements that mayfall into your company and then
potential impact of acompromise, such as financial
(09:42):
loss, reputational damage, legalpenalties and so forth.
So you need to classify thedata specifically related to
those, and it may be where thatyou go through your entire
organization and you will thenclassify each level of data
within your organization.
It's a very painful and arduousprocess, but it's something you
really truly need to considerand we've talked about that as
well.
It's one of the first thingsyou need to actually understand
(10:05):
as it relates to dataclassification.
Now classification levels theseare common examples that you may
see in the news, you may seethem in your work, and these are
public, internal use,confidential, restricted, highly
confidential.
I've seen, general, open to thepublic.
Those are some levels as well.
You can run into classifiedssuch as secret, top secret and
(10:25):
so forth, but those are theclassification levels for the
data.
Now each level will dictate thespecific handling and storage,
access and destructionrequirements for each of those.
So you need to make a plan thathow will you actually use these
and how will you use them toprotect the information within
your company.
Next is ownership.
Now the data owner.
(10:49):
This is often the business unitor the executive that's tied to
the data.
Specifically, they areresponsible for determining the
classification related to it.
So you need to make sure youhave a data owner when you are
going and you're doing dataclassification as well and or a
custodian you'll get in the termcustodian will pop up.
You need to make sure that youhave those well-defined.
Now asset classification this isthe signs of criticality to the
(11:11):
sensitivity levels of theorganizational assets.
Now this could be to yourhardware, your software, your
intellectual property, people,facilities and so forth.
That's the overall purpose ofasset classification.
Now it's based on the value ofthe asset itself and,
potentially, the criticality tothe business operations.
That's that you may have asystem that runs, maybe a
(11:33):
pipeline for your organizationand that would be a critical
asset.
And you could have a situationwhere you'd have to have
multiple spare backup systemsavailable to run it.
And a lot of times they'll havethat in place because that
software that was running thatlet's say, that pipeline system,
(11:54):
it won't operate on any of thenewer systems.
So you have to buy a Windows 95compatible system and have it
as a spare a hot spare, coldspare.
You've got to sitting asidewaiting to be used.
Now the classification levels.
They can be very similar todata classification, such as
mission critical, businessessential operational support.
(12:14):
But these are specifically youtie those to what is this asset
and what is its criticality toyour organization, and it
ensures that the securityresources are prioritized to
protect the most valuable andcritical assets.
I will say asset classificationgets even harder because
there's a lot of assets outthere that we don't even know
exist.
But the good thing with assetclassification is that if you
(12:36):
have a good handle on yourorganization and the amount of
the equipment that's in it, itcan be very, very useful to your
company.
Now, now domain 2.2 we need toestablish information and asset
handling handling requirementsbased on classification.
Now you need to have proceduresfor handling, storing and
transmitting information.
They must directly align withthe assigned classifications now
(12:58):
, depending upon what you hadsigned up for with your company,
such as public, confidential,highly restricted and so forth.
They need to line upspecifically with that, and that
would be stricter controlsbased on the classification that
you put out there, such asencryption, dedicated storage.
You may have virtual lands, youmay have cloud storage.
All of those would be set up tomandate for higher
(13:20):
classification levels.
If you're dealing withclassified systems systems such
as secret, top secret those maybe completely separate systems
from everyone else and theydon't touch each other.
So you just have to decide howdo you want to handle that,
based on the classificationschema you are going with.
You want to handle practicesfor different states, so the
states are what is the datadoing?
(13:41):
So you have data in transit,data in use and data at rest.
Now, data in transit this wouldbe secure methods for
transmitting the data, such astunnels, such as VPNs, tls
tunnels, secure file transferprotocols, any SFTP, any sort of
physical transport protocols orsafeguards you have in place.
That would be your data intransit.
(14:01):
As an example, when we'd havehard drives and we'd be moving
data from one location toanother because we'd have to put
them on hard drives.
At the time the thumb drivesweren't quite big enough you
would have specific controls inplace for that data while it's
being moved, and that's aphysical move of the data, not
just necessarily sending itelectronically.
So you just have to determinewhat would work best for your
(14:24):
company and what works best inthis specific situation, and
this is where you have to beinvolved directly with your data
owners to understand what arethey trying to accomplish.
Data in use these are proceduresfor accessing and processing
data clear desk, clear screenpolicies, workstation security
and restricted printing.
These are all data in useaspects.
You need to kind of have thatdefined and you need to have
(14:47):
policies defined specificallyrelated to it.
Data at rest requirements forstoring this would be encryption
at rest, which we all know ifyou've listened to this podcast
at any length, data is reallyvery rarely ever at rest.
But you need to have encryptionin place.
You need to have physicalstandards, maybe physical
separation.
If you are in a data center,does the data center have
(15:07):
physical controls in place toallow or not allow people access
to potentially your data aswell, those are all part of the
things that need to beconsidered in the handling
practices Information and assetmarking and labeling.
So you have the assets that arethere, both digital and physical
.
You need to have them properlymarked.
If it's digital, then you'redealing with the digital aspects
(15:30):
that you would be in yourdocumentation Maybe say it says
top secret.
Or if you're dealing with thephysical assets, such as a hard
drive or a computer, there'slabels specifically on those
devices saying that this one isclassified, top secret or not.
This also helps users and thesystems apply the appropriate
safeguards.
It makes you also keep in mindwhat kind of systems do you have
(15:52):
.
It also highlights if, for somereason, someone's moving
equipment around, they don't puta classified system in an
unclassified location.
So there's lots of really goodaspects around information,
asset marking and labeling.
Okay so, as we continue inDomain 2.2, you're establishing
information and asset handling.
We're talking about securedisposal and destruction, so you
(16:14):
need to define methods forsecurely disposing of the
information and the assets oncetheir lifecycle of their
existence overall product hasended, right?
So if your data's ended, how doyou adequately destroy it?
If your systems are completelydone, you don't need them
anymore, how do you destroy,slash, reprovision them?
Whatever you're going to do,this also ensures the data is
irrecoverable.
If you're dealing withdegaussing, there's methods for
(16:36):
that, such as physicaldestruction.
You use a degaussing formagnetic.
You could use a shredder todestroy the hard drives.
Those are different aspectsthat you would put in place.
You could do cryptographicerases, where basically, you're
using crypto on it and you can'tever get access to it, or
secure overwriting, which is oneof the DOD's aspects, where
you're just writing bits overthe top of it.
(16:57):
Multiple passes and so forth.
Roles, responsibilities forhandling you need to clearly
define the responsibilities ofthe data owner, the custodians
and the users in adhering to anestablished handling procedures.
You need to make sure that yourpeople are trained and they
have the proper requirements.
That are all relative to theroles.
When I talk about training,it's not just you see a CBT, you
(17:18):
actually in some cases have tophysically walk them through,
especially if they're doingdestruction.
Where do they pick this harddrive?
Who are the people that signoff on it?
There's usually a lot that goesinto it.
You don't just go okay, well,hey, I'm going to drop off this
hard drive at this location.
There's usually a sign forprocess.
So, and there's also with theaccountability of you're taking
(17:39):
hard drives to a location, howare they signing off for them
when they accept them?
So there's a big whole ordealthat goes into that.
You need to implementaccountability mechanisms again
for noncompliance.
So if somebody decides not todo what you've asked them to do,
what are they accountable for?
What are the ramifications fornot doing it?
That all is called out in theroles, responsibilities for
(17:59):
handling.
Okay, so now we're in domain2.3, provisioning resources.
So you have to figure outinformation and asset ownership.
So we talked about this justbriefly and we're going to kind
of go over a little bit more ofthat.
What are those folks?
You have a data owner, datacustodian, data steward and then
asset owner.
So the data owner is a businessunit or individual, often
(18:21):
senior management that isassigned to it.
Now you have seen this in thecase where senior management
doesn't even know that they areaccountable for this, but
they're ultimately accountablefor the protection of the
specific data assets.
They determine classificationand the potential acceptable use
.
You're going to have to, insome cases, walk them through
and help them with thissituation.
Your data custodian this is anindividual or department
(18:42):
responsible for technicalimplementation and maintenance
of security controls to protectthe data specifically, and then
this is directed by the dataowner.
So the data owner, the CEO orwhoever large executive they are
the ones that are going to tellthe data custodian that what
they should do and what kind oftechnical implementation and
security measures they shouldput in place.
(19:03):
Now the data steward thisfocuses on the data quality,
integrity and ensuring theircompliance with policies and
regulations.
I don't always see the datasteward, but you may get called
out on the CISSP exam.
I definitely see data owners.
Custodians definitely see thosefolks.
The data steward again they arefocused specifically around
compliance with policies andregulations, and so that would
(19:25):
be that term that would comeback to that Asset owner.
This is the individual ordepartment accountable for
protection and value of thespecific assets or systems, and
this could be the system owner.
It could be the applicationowner.
That is what they call theasset owner.
Now, clear ownership isimperative when you're dealing
with accountability for thesesecurity decisions and risk
acceptance.
(19:45):
You need to deal with this andif you haven't, once you define
the data itself you need.
The next step is having reallystrong outlined who are the data
, owners, custodians and soforth.
That is just a crucial part inthis overall process.
Now, asset inventory thepurpose of this is to create a
comprehensive, accurate andup-to-date record of all
organizational assets.
(20:06):
Having an asset inventory foryour to create a comprehensive,
accurate and up-to-date recordof all organizational assets,
having an asset inventory foryour company, is a very, very
important part, and it's anasset in and of itself.
This includes your hardware.
This would be servers,workstations, device, mobile
devices, anything along thoselines, as well as database files
, phi and so forth All of thatintellectual property.
All of that is an importantpart and the key aspect, as well
(20:28):
as knowing even the physicallocations of where these assets
are living.
Too often I've seen it wherethese systems are sitting in a
closet.
I've had one in a bathroom oncebefore.
It's sitting up above.
I've had one actually on thefloor sitting next to a toilet.
So you know, all of those arereally bad places, honestly, but
you, just you have to knowwhere all of it is sitting.
(20:49):
Now the attributes that would becaptured would be for your
asset records, would be a uniqueidentifier, location, owner,
criticality.
All of those would bepotentially set up as some sort
of metadata within the assetitself, and it's an important
part, especially if it's networkconnected.
If you can have an idea ofwhere these systems are located
based on their network activity,that is a huge asset,
(21:10):
especially since, if you can sayit's in closet one, down the
road from building XYZ right?
Obviously you'd have a littlebit more brevity than that, but
ultimately you want to have somesort of naming convention that
helps you with those differenttypes of attributes, to have
some sort of naming conventionthat helps you with those
different types of attributes.
Now, the benefits of this it'sagain it's essential for risk
(21:31):
assessments, vulnerabilitymanagement, incident response
and compliance.
You got IR teams.
They need to know where allthese systems are at your
vulnerability management.
Also, is this a system that'sexternally facing or is it
internally?
All of those pieces areextremely beneficial when you're
dealing with your overallassets Domain 2.4, manage Data
Lifecycle.
So your data roles we talk aboutthe different types of assets.
(21:52):
Now we're going to talk aboutdata roles.
You have your data owner, youhave your data controller, you
have your data custodian, yourdata processor and your users
and the data subjects.
So we talked about assetsbefore, but now you're going to
be getting into the data.
Specifically, data owners theseare again back to the business
unit or individual often seniormanagement as well and they are
(22:12):
ones that are owning the data.
This one is a little bit morecloser to what people will
understand yeah, okay, I own thedata.
You'll see more people thatwill actually take ownership of
the data because they work on iton a daily basis the assets,
sometimes, not so much the datacontroller this is a person or
an entity that determines thepurpose and means for processing
(22:33):
personal data.
You'll see this vary a lotwithin the GDPR world and realm,
and it's all coming down to thedata itself.
Data controllers are highlysought after within the European
Union.
We don't.
We have a few of them here inthe states I've seen them, but
for the most part, it's in theeuropean union is where I've
interacted with them.
Your data custodian these areindividuals or departments
(22:55):
responsible for technicalimplementation, maintenance and
security of the data controls,again directed by the data owner
.
So the owner's the one that'sultimately responsible and they
pass that accountability notaccountability, but that help or
activity down to the custodianto do the work on a daily basis.
Your data processor again, thisis an entity that processes
(23:15):
personal data on behalf of thedata controller.
This is very common in theprivacy regulation space within
GDPR, so your data controllerswill handle it locally.
They then pass it up to thedata processor and they're the
ones that handle it from thedata controller.
On a much larger scale, usersand data subjects these are
individuals whose data is beingprocessed or who interact
(23:35):
specifically with the data.
It's pretty much as it sounds,users and the data subjects.
They're the ones that have thedata.
They're the ones that alreadyhave their data being used.
I just said data about 5,000times, so I hope that makes
sense when it comes to dataroles and related to domain 2.4.
Now, as we roll into datacollection, you need to
establish policies andprocedures for legitimate and
(23:58):
secure acquisition of the data.
Again, it's important that youare collecting all of this
information.
What are you doing with it?
Where is it being stored?
What is people'sresponsibilities with it?
This comes down to establishingthe policies and procedures for
that use.
You also need to ensure dataminimization.
This is collecting only thenecessary data and the purpose
for limiting using data only forits stated purpose.
(24:20):
You don't want to be collectingdata just for the sake of
collecting it.
One.
It can add a lot of legalissues to it.
Yeah, it can add more legalliability as time goes on, but
you really need to make surethat you have a good plan around
data collection and dataminimization.
Data location this is whereyou're understanding where the
data is physically and logicallystored.
(24:42):
This is an important part,especially when you get into
some countries.
They require data localizationin their country or in a country
that's part of, let's say, theEU, and moving the data out of
that country can be a bitproblematic.
I ran into this dealing withChina moving data in and out of
China.
There's specific informationthat is not allowed to leave,
(25:02):
and then you have to be.
This again comes back to dataclassification understanding
what data is out there and whereis it being stored.
It's crucial for complying withdata residency and sovereignty
laws, which you will run intoand becoming more and more
problematic.
You may even get to the pointwhere data sovereignty may
require to be stayed within thestates of the United States and
(25:22):
various states themselves.
We're seeing bits of that.
I don't know if it'll ever getto be that granular, but it's
becoming more and more.
People are focused on theirinformation and where that
information is being sent andsold to Data maintenance.
This is ensuring the accuracy,completeness and consistency of
the data through its entirelifecycle and so often you'll
(25:43):
see people will get they'llstart this data process, but
they don't think about thebeginning and end of this
overall life cycle and what doesthat entail?
You need to have accurate,complete and consistent data
throughout the entire processitself.
This would include patchingdatabases, regular backups,
integrity checks.
When you're dealing withbackups, I was working with a
(26:04):
company and ensuring that allthe backups sent to the cloud
had antivirus type malware scansdone on them.
One of the things the bad guysand girls will do is they will
install malware in a system, letit sit there for 90 to 120 days
before they activate it withthe thought that the backups now
include the malware.
So when they activate it andthey go to basically do
(26:26):
destructive malware, people goto the backups, pull the backups
down and then the malware isstill there.
So you need to really have thatincludes the integrity of the
data.
That's the data maintenancepiece of this.
That's an important part of anyorganization Data retention,
defining and adhering topolicies for how long the data
must be kept.
This is based on legalregulatory compliance and other
business requirements.
(26:47):
Depending on if you're in thebanking industry, it's a very
different number than if you'rein the manufacturing space.
So how long are you going tokeep it?
I would also recommend thoughthis comes down to data
classification you only keep thedata that is most important to
you.
You do not just keep everythingbecause one it opens you up to
legal discovery.
It also opens you up not justkeep everything because one it
opens you up to legal discovery.
It also opens you up to just alot of cost.
(27:08):
Maintaining all this data canget very expensive, and this
information just sitting in adatabase someplace just adds up
cost after cost after cost, andit's just not worth it.
It truly isn't.
So you need to balance thebusiness needs with the storage
costs and your potential privacy.
Concerns.
Data remnants this is theresidual data that remains on
(27:29):
media after it's been erased orattempted deletion, and we
talked about this just brieflywith data destruction.
This is the information that'sstill there, and you need to
understand that simply deletinga file does not remove the data.
If you're dealing with harddrives, deleting the file really
in most cases, is deleting themarker or deleting where it says
(27:49):
the data is stored.
Once it deletes that, then whatends up happening is this data
is still resident on the harddrive.
It just eventually getsoverwritten as more data is
added to the computer.
But that's where it's importantthat you actually physically,
will go through and rewrite overall the sectors on these hard
drives and understanding it andthe fact that residual data does
(28:10):
exist and there's hard drivesand there's data storage
capabilities in everything.
So you truly need to understandwhere's your data going, what's
it touching and where's itbeing stored.
Data destruction this is theprocess, obviously, of
completely and irreversiblyremoving data from the storage
media to prevent unauthorizedrecovery and we kind of talked
about that as well related toshredding, degaussing,
(28:31):
cryptographic erase All of thosemust align with your
classification and retentionpolicies.
This will prevent the dataremnants from occurring.
So you can see, as we arebuilding on these in domain two
from domain one and also justthrough domain two, they all
build upon themselves and havinga good strategy around all of
this is an important part of anyorganizational data security
(28:53):
and information security program.
Domain 2.5, you ensure theappropriate asset retention, end
of life or end of support.
So when you deal with assetretention, this goes beyond just
the data, physical and logicalassets.
These includes the life cyclethat impacts security.
And when I say life cycle, whatexactly does that mean?
(29:13):
It means from the time that itwas birthed you have a baby data
to when it is actually goingthrough the entire destruction
life cycle and it dies.
So often data is birthed, it'smanaged, it's manipulated and
then it just gets stuck in acorner someplace and, because
it's not old like me, it doesn'teventually die.
It just sits there and it justwaits to be discovered once
(29:35):
again, which can cause all kindsof drama right, legal drama,
also bad data drama, all kindsof things and you don't want
that to happen.
The policies must be defined forhow long and the types of
assets that are going to be keptand operational and when should
they be retired.
Many companies will have a datadestruction policy where after
(29:55):
if you haven't touched your datain three years, you need to
destroy it, and those are reallygood things.
Now there is a downside, right?
If you have data that isextremely valuable and you spent
years building it, and then yougo and destroy it, well, that
can be cost effective orbusiness effective, and so you
don't want to do that.
You want to have a good plan todeal with that data, that is my
(30:21):
super secret IP, that I amprotecting it for the long term.
This balances business needswith security risks, compliance
and requirements, and then theoperational costs that go with
it.
End of life and end of support.
Your end of life.
This is the point at which thevendor stops marketing, selling
or offering a new feature.
You will run into problems likethis, and Microsoft and all
these other manufacturers do runend of life.
Hence, back to the windows 95and those nt systems.
(30:42):
Yeah, they're end of life,they're long gone and they
should be dead, but guess what?
They are still out there.
Um, if they may still receivesupport in some of these end of
life situations.
Uh, but it does begin the endof the retirement phase.
When you're dealing with end oflife systems.
Yes, when they when they say,hey, this one is ending in April
of 2025.
Okay, cool, then we will offerextended support for two more
(31:05):
years for a price of X.
Now, that gives you two moreyears as an off-ramp.
If you haven't already planned,however, the other gets can get
real expensive, real quick.
A lot of times I've seen ityeah, we've got the off-ramp
planned and then the two yearscomes and goes and they're like,
oh, we got nothing.
And then you go in a situationwhere your systems are out of
support and now they'revulnerable and that's bad,
(31:26):
that's not good.
End of support this is thecritical date when the vendor
completely ceases operations ofany form of support.
This includes security patches,bug fixes or any sort of
technical assistance.
That's a bad place to be.
Security implement orimplications of end of support
operating systems, applicationsand hardware beyond their end of
support date obviously exposethe organization to risk.
(31:48):
You have to decide if that riskis substantial or not
substantial for you, and sounderstanding which ones are end
of life and which ones are endof support is a good place to be
.
So know that.
Going into it where you're at,continuing on to 2.5 and end of
life and end of support.
Some key considerations whendealing with end of life and end
(32:08):
of support management Proactiveplanning important part of this
entire plan, like we kind ofmentioned, upgrades,
replacements and secureretirement should be thought of
and considered.
Risk assessments.
You need to do a riskassessment of these systems that
you're going to continue to usebeyond the end of life and end
of support, and there needs tobe documentation associated with
(32:30):
this and there needs to besign-off from leaders on that.
Yes, they are accepting thisrisk.
Especially if you obviously aregoing to continue to use it.
You need to have sign-off onthat.
And if you're a security personthat's going through this, you
need cover.
Sorry, you just do.
Someone is going to come backand say why, when this thing
gets hacked, why did we allowthis?
And then you pull out the pieceof paper.
(32:50):
Now, you still may get fired,but at least when you pull out
the piece of paper, the personwho signed it, they get fired
too.
So you go out together, smilingas you tiptoe down the tulips,
down to whatever the golden road.
See, I got to use a Kansasanalogy the golden brick road,
yellow brick road.
Yeah, that's it.
See, I've been here how manyyears and I still don't even
remember that.
Anyway, you need to have thatdone Again.
(33:14):
Migration replacement strategydevelop and execute plans for
migrating data to do new systemsand then the functionality to
support these assets so youmigrate them to new systems.
You also have to have thesystem stood up.
Things to consider is if youare in a country that you have
to buy new equipment.
Is it such as china?
Is that they require you to buysystems from within the company
(33:34):
as a country itself?
Then you got a whole differentanimal.
When you're dealing withintellectual property protection
, secure decommissioning, youneed to secure the end of life
and end of support.
Assets are securelydecommissioned and disposed of
according to your datadestruction policy.
So again, you've got to buildthe policy, you've got to
destroy it appropriately.
(33:55):
Compliance Verify, theretirement process aligns with
all relevant regulatory andindustry standards and it meets
what the kind, what you're.
If you're in the bankingindustry, how does it meet those
standards?
Uh, you, you may be surprisedif you're following.
There's actually a really goodframework out there on banking
called cri.
I highly recommend it.
Um, that will help you a lot,especially if you're in the
banking world.
(34:15):
Domain.
26, determine data securitycontrols and compliance
requirements.
So data states, data in use, intransit and at rest.
We kind of talked about thesealready, but when you're dealing
with data states, you need tounderstand what because of your
current data that's beingprocessed right now, what are by
the user of the application,what are the security challenges
(34:36):
that may be in place related tomemory protection and,
potentially, insider threat.
This would be ram, cpu caches,active applications and so forth
your data in transit, obviously, working across your network,
within the internal network orbetween cloud services.
Big one is sas right, andyou've got different cloud
services that are communicatingbetween them.
An important part is you needto have a good security focus on
(34:59):
securing the variouscommunication channels, data at
rest, data that is storedphysically on the media, like we
talked about itself.
You need to protect that medium.
Do you have, if you're using,usbs?
Is it encrypted?
How do you manage theencryption on those keys or on
those USB drives?
Anytime I dealt with any sortof data that left my
organization that needed to beon USBs it had encrypted thumb
(35:20):
drives that it was being used orencrypted hard drives in which
it was being used.
Scoping and tailoring, standardselection.
So when you're in the processof determining which security
controls or standards areapplicable for the specific
system, organization or data setbased on its context,
criticality and regulatoryenvironment, you need to scope
your data.
You need to scope your systemsand the controls that are tied
(35:42):
to it.
If you have a good frameworkthat you're going to follow
let's say it's ISO 27001, or,like I mentioned the banking
industry, cri.
That will really help you a lotwith your overall scoping and
to understand the specificsystems and what are the
controls you should have inplace for those specific systems
.
Tailoring this is ofcustomizing and adjusting the
(36:02):
selected security controls fromthe standard or framework.
So again to talk about CRI, andthe framework says you must
have, I'm going to say, 12character passwords involved
with your protection of your IPor protection of your data, and
you come in and you say well,you know what I'm going to
tailor that to having 20characters and biometric access
(36:24):
to gain access to all thesesystems.
So that could be your choice,right?
If that's the case, that wouldbe what they call tailoring, and
this ensures other controls areeffective and not overly
burdensome.
Now, that would probably beoverly burdensome, but you may
tailor them specifically basedon what the needs of the data
owner wants for that specificdata.
You just have to determine whatis the best aspect for you.
(36:45):
So, scoping and tailoring.
Now, data protection methods.
What are some of those?
We talked about encryptionalready.
We're dealing withcryptographic techniques,
obviously at data at rest andtransit and in use.
Where possible, this could beencrypting the data as you're in
the tunnels that are goingbetween there.
Cryptographic techniques,obviously at data at rest and
transit and in use, wherepossible.
This could be encrypting thedata as you're in the tunnels
(37:06):
that are going between there.
It could be the data itself,specifically Access controls.
This would be implementing anauthentication and authorization
mechanisms to restrict who canaccess, modify or delete this
based on their permissions.
And again, deletion is a bigfactor.
You know, modifying is onething, but if I can go in and
wipe everything that you have,that's a much bigger deal and it
(37:26):
can be much more problematic.
Data masking, tokenization andpseudorandomization See, that's
a big $10.
That's more like about a $30word.
I can't say very well.
Coming from Iowa and my thirdgrade education, I struggle.
But that being said, how do youmask it?
How do you keep it from beingknown that this is the 11 herbs
and spices for Kentucky FriedChicken?
(37:47):
You would not say that.
You would say herbs.
And yeah, kentucky.
That doesn't tell me anythingother than maybe a guy by the
name of Herb thing, other thanmaybe a guy by the name of herb.
But all to all, you want tohave techniques to obscure the
sensitive data while maintainingits usability for testing
analytics and reducing theprivacy risk.
Now, data protection methodsthese are specific technologies
(38:09):
that you can use to protect thedata outright.
Digital rights management thisis your drm.
This is used to control accessand usage of copyrighted
materials and sensitive digitalcontent.
You can restrict copying,printing, forwarding of the
specific files themselves.
You have DLP.
These are systems that detectand prevent sensitive data from
leaving the organization throughemail, cloud storage or
(38:30):
removable media.
All of these aspects are inplace and this would be designed
specifically to protect thisinformation over your
organization's control.
Then you have cloud accesssecurity brokers CASBs.
This is a security policyenforcement point out in the
cloud between your cloud serviceconsumers and your cloud
service providers.
This combines and interjectsenterprise security policies as
(38:54):
cloud-based resources areaccessed.
It basically sits in the middleand if you have a policy that
says you can't access certainvirtual private clouds, it will
block that, or can you accessspecific data within the virtual
private cloud, it will stopthat as well or allow that,
depending upon the situationthat you have.
They provide visibility, datasecurity, threat protection.
(39:15):
They're a really good tool.
They have worked very well togive you that overall insight of
your cloud environment and it'sjust not like an extension of
your security operations center.
These CASBs can be very usefulfor that specific purpose.
That's a whole differentconversation for another time.
But you need to understandthose different types of data
protections DRM, dlp, casb.
(39:36):
Thank you again so much forjoining me today.
Again, I've got plenty of freeresources.
Head on over to CISSP CyberTraining.
You can get access to all myfree resources.
I have weekly podcasts.
I have a three to five monthstudy plan.
360 questions are all availableto you.
My blog there's all kinds ofcontent that's there.
You can also check this out onYouTube as well.
So all of that information isthere in a curated form for you
(39:59):
specifically, and it's available.
It's awesome.
It's a lot of free, free stuff.
The goal is to get you as muchas I can for your self-study
options as possible.
They have paid resources aswell.
I have over 700 CISSP questions.
I have 36 plus hours coveringall the CISSP content.
But it goes beyond just thecontent itself.
It's in all the information youneed to be a security
(40:20):
professional.
I have audio video content.
I have deep dive content,mentoring options as well, and
then, if you need virtual CISOor IT leadership and consulting,
that is all available to you aswell at CISSP Cyber Training.
All right, I thank you so muchfor going through this rapid
review with me and I hope youguys have a wonderful day and we
will catch you all on the flipside, see ya.
(40:41):
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
(41:05):
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Hey, I'm Sean Gerber with CISSPCyber Training and this is the
CISSP Rapid Review Exam PrepDomain 2.
So we're going to be talkingabout in the next few weeks
Domain 2 and Domain 3 of myRapid Review.
The Rapid Review goes over eachdomain, it goes out each of the
subdomains that are tied to itand it walks through what are
(00:45):
some of the key considerationsyou need to know for the CISSP
exam.
So we're going to be going overdomain two today and then we'll
be because domain two isrelatively small we'll be going
over domain three, part one andpart two, in the next week and a
half and we'll be covering allof those and then we'll get back
up to the regular role of CISSPquestions and the overall CISSP
(01:05):
domains after that.
But the goal is that rapidreview is to give you what you
need to help you pass the test.
It really is a great review ofwhat you should be knowing
around the CISSP and it's reallygood content.
The video will be available onCISSP Cyber Training.
So as you go through and youlisten to this on your way to
work and you go hey, let me gotake a look at that video, check
(01:27):
it out on CISSP Cyber Training.
They'll be being released heresoon, so those will all be
available to you as well.
Or you can go sign up on myemail list and once you get to
my email list, you'll actuallybe able to get access to all of
them and all of the questionsthat I have within the various
the free tier that I have over300 and actually probably close
(01:48):
to around 400, and somequestions will all be available
to you, as well as the rapidreview as well as supplemental
stuff.
It's all there at CISSP CyberTrading.
But before we get, let's moveahead and just go into what
we're going to talk about.
It's from the we've seen in thenews today, and then we'll go
in and get into domain two.
Uh, it's from the we've seen onthe news today, and then we'll
go in and get into domain two.
Okay, so we're going to betalking about on the news today
is the honeywell experian.
(02:09):
Pks flaw allows formanipulation of industrial
processes.
Now I don't know if you all areconnected with this.
We've talked about this a lotin cissp cyber training.
The honeywell experian is oneof many different types of
companies out there that willwork on the industrial control
environment.
You have Rockwell you haveEmerson, you have there's just
(02:31):
there's a bunch of other ones.
There's Siemens, you name it.
So there's a lot of differentcompanies that are in this space
, and the industrial controlsystems control pretty much
everything that is important tous today, from energy, chemical,
healthcare, water, you name it.
They're all in this space, andso understanding and having
security and knowing thesecurity around this is
extremely important.
(02:52):
One to help protect our worldthat we live in.
But two it's also important foryou to know, because you're
going to be dealing with thesesystems.
You may start off working at abank but then end up in a
manufacturing facility, soknowing all of these systems and
how they work is a reallyimportant part of your overall
cyber security journey.
So this pks system is theprocess knowledge system and it
(03:14):
controls automated solutionswithin the overall manufacturing
processes.
Now this this flaw came outlast week is when the sysa
brought it up, and bottom lineis they consider these as
critical and high severity andthey are impacting the control
data access component and canlead to remote code execution.
So what does this really mean?
(03:35):
The bottom line is is that ifthey went and go, or if they
went and tried to access thesesystems and they had access to
them.
They could control themremotely.
Tried to access these systemsand they had access to them.
They could control themremotely.
So if you're in a watertreatment facility, they could
add too much of somethingchemical in there that could end
up hurting people substantially.
If they're in a manufacturingfacility and they have chemicals
, like I used to deal with, theycould do a release on chemicals
(03:57):
that would potentially harmpeople from being released into
the atmosphere.
So again, all of those thingsare extremely important for you
all to know and understand.
So, again, all of those thingsare extremely important for you
all to know and understand.
So what do they ask you to do?
Well, bottom line is you needto do an update and fix, do a
patch to these systems to fixthe problem.
They say patch immediately andthen that's great, okay, well,
(04:18):
we're going to walk into thepatching immediately thing.
When it comes down to patchingin industrial control
environments if we've mentionedthis before, but we'll kind of
for those that might belistening to this new you cannot
always just go and say, well,hey, it's patch Tuesday, I'm
going to push it patch.
You can't always do that.
In many cases, you can't do itat all.
The reason is is because thesesystems are running 24 by 7, 365
(04:40):
.
They're running all the timeand they do not cannot afford to
go down, and so if they go down, there's a huge factor.
If they just go down, in somecases it can blow things up.
So there's a control process bywhich you would take parts of
the facility down, and if thesesystems are in a highly
controlled environment and theycan't be taken down because the
(05:03):
environment won't go down, thenthey may have to wait a while
before they can actually updatethem, put the fix in.
So it's important that one, youunderstand your manufacturing
places that you work with whereare all these critical systems
at and then also understandingwhen is their downtime, when
they're going to actually shutthe facility down and when could
you potentially put patches on.
(05:23):
I'll give you an example,though we didn't do down our, we
didn't do what they call aturnaround.
We didn't do a turnaround onceevery three years.
Now they do turnarounds inparts of the facility every year
, but it may not hit your areathat this is working in for once
every three years.
So it's really important foryou to have a good working
relationship with yourmanufacturing facilities and
(05:45):
understanding how this all works.
They also, once you get theupdate done, they want to also
recommend that you do segmentand isolate these networks.
Well, that's a no-brainer, andwe tell you that's a no-brainer,
but it is.
Most people don't do it.
Physically separate thesesystems from your business
(06:07):
network, or you have a softwaretype network connection that's
allowing you to have themsegmented.
This is called the Purdue modeland there's different ways
around that.
But the ultimate point is thatyou need to have a segment and
isolated control network setaside specifically for your
industrial control places.
Restrict user permissions,obviously keep the people that
aren't supposed to have access.
One way may be through ACLs inyour access controls.
(06:30):
Another one could be throughmulti-factor.
There's a lot of different waysto do it.
It comes down to is what doesthe network segmentation look
like and what does yourarchitecture look like with your
process control environment?
So again, big deal.
I highly recommend that if youare in the manufacturing space
and you have these variousHoneywell experience systems,
you get them updated and havecome up with a plan on how to do
(06:51):
that as fast as you possiblycan.
Okay, let's move on to whatwe're going to talk about today.
So, as we talked about lastdomain, this is domain two and
the questions that areassociated with it.
There's approximately 10% ofthe questions that you will see
on the exam are tied to domaintwo.
Now does that mean that you canget by and say you know what, I
(07:12):
don't need to study a domaintwo?
No, you need to study them all,and this comes down to the
80-20 rule, which we've talkedabout in the past is the fact
that you need to spend 80% ofyour time on 20% that you do not
know.
If you don't feel confidentwith that 20%, you need to spend
a lot more time on it.
That being said, you just alsoneed to know all the content,
not just the stuff that youdon't know very well.
(07:34):
But I wanted to put a littleplug out there.
If you go to CISSP CyberTraining, you can get access to
free resources that I haveavailable to you.
This will be weekly podcasts.
There's over 250 plus.
Now I have a three to fivemonth study plan.
That's there.
You have 360 study questions,there's a blog and also on
YouTube.
You can get access to all ofthis content.
It's not all curated.
It is curated on my site, butif you can get it in multiple
(07:56):
places.
If you want to get paidresources and say you need just
a little bit more and you wantsome maybe a step-by-step help
as it relates to the variouscontent of the CISSP book, you
can go to Get my Paid Resourcesand there's 36 plus hours
covering all of the domains ofthe CISSP.
There's 700 plus CISSPquestions.
(08:16):
There's curated audio and video.
It's all there available foryou.
I go into deep dive into areasas well.
There's virtual CISO IT support.
All of those pieces areavailable.
If you want that, just head onover to CISSP cyber training.
All right, so let's get startedabout what we're going to talk
about today.
So this is domain 2.1 and we'regoing to be getting into
(08:38):
identify and classifyinformation and assets.
So this is pulled out of theISE squared CISSP book.
This, this is all we're goingto walk through, all the things
that they are requiring of youto know that it's important part
of you to know for this domain.
And again, this is domain 2.1.
And we're getting into dataclassification and asset
classification here, juststarting off Now.
(08:59):
The purpose of dataclassification is to assign
sensitivity levels toinformation, determining the
appropriate security control forits protection.
Now this is focused on the CIAtriad, which is your
confidentiality, integrity andavailability, and we've talked
about a lot of this on thepodcast and in my training at
CISSP Cyber Training around thedifferent levels and what you
(09:20):
should be looking at Now.
These typically are focused onbusiness value and it may or on,
if it's in the government, onwhat could affect the government
from their standpoint of risk,and that comes down to secret,
top secret and so forth.
But they're based on businessvalue, potential legal and
regulatory requirements that mayfall into your company and then
potential impact of acompromise, such as financial
(09:42):
loss, reputational damage, legalpenalties and so forth.
So you need to classify thedata specifically related to
those, and it may be where thatyou go through your entire
organization and you will thenclassify each level of data
within your organization.
It's a very painful and arduousprocess, but it's something you
really truly need to considerand we've talked about that as
well.
It's one of the first thingsyou need to actually understand
(10:05):
as it relates to dataclassification.
Now classification levels theseare common examples that you may
see in the news, you may seethem in your work, and these are
public, internal use,confidential, restricted, highly
confidential.
I've seen, general, open to thepublic.
Those are some levels as well.
You can run into classifiedssuch as secret, top secret and
(10:25):
so forth, but those are theclassification levels for the
data.
Now each level will dictate thespecific handling and storage,
access and destructionrequirements for each of those.
So you need to make a plan thathow will you actually use these
and how will you use them toprotect the information within
your company.
Next is ownership.
Now the data owner.
(10:49):
This is often the business unitor the executive that's tied to
the data.
Specifically, they areresponsible for determining the
classification related to it.
So you need to make sure youhave a data owner when you are
going and you're doing dataclassification as well and or a
custodian you'll get in the termcustodian will pop up.
You need to make sure that youhave those well-defined.
Now asset classification this isthe signs of criticality to the
(11:11):
sensitivity levels of theorganizational assets.
Now this could be to yourhardware, your software, your
intellectual property, people,facilities and so forth.
That's the overall purpose ofasset classification.
Now it's based on the value ofthe asset itself and,
potentially, the criticality tothe business operations.
That's that you may have asystem that runs, maybe a
(11:33):
pipeline for your organizationand that would be a critical
asset.
And you could have a situationwhere you'd have to have
multiple spare backup systemsavailable to run it.
And a lot of times they'll havethat in place because that
software that was running thatlet's say, that pipeline system,
(11:54):
it won't operate on any of thenewer systems.
So you have to buy a Windows 95compatible system and have it
as a spare a hot spare, coldspare.
You've got to sitting asidewaiting to be used.
Now the classification levels.
They can be very similar todata classification, such as
mission critical, businessessential operational support.
(12:14):
But these are specifically youtie those to what is this asset
and what is its criticality toyour organization, and it
ensures that the securityresources are prioritized to
protect the most valuable andcritical assets.
I will say asset classificationgets even harder because
there's a lot of assets outthere that we don't even know
exist.
But the good thing with assetclassification is that if you
(12:36):
have a good handle on yourorganization and the amount of
the equipment that's in it, itcan be very, very useful to your
company.
Now, now domain 2.2 we need toestablish information and asset
handling handling requirementsbased on classification.
Now you need to have proceduresfor handling, storing and
transmitting information.
They must directly align withthe assigned classifications now
(12:58):
, depending upon what you hadsigned up for with your company,
such as public, confidential,highly restricted and so forth.
They need to line upspecifically with that, and that
would be stricter controlsbased on the classification that
you put out there, such asencryption, dedicated storage.
You may have virtual lands, youmay have cloud storage.
All of those would be set up tomandate for higher
(13:20):
classification levels.
If you're dealing withclassified systems systems such
as secret, top secret those maybe completely separate systems
from everyone else and theydon't touch each other.
So you just have to decide howdo you want to handle that,
based on the classificationschema you are going with.
You want to handle practicesfor different states, so the
states are what is the datadoing?
(13:41):
So you have data in transit,data in use and data at rest.
Now, data in transit this wouldbe secure methods for
transmitting the data, such astunnels, such as VPNs, tls
tunnels, secure file transferprotocols, any SFTP, any sort of
physical transport protocols orsafeguards you have in place.
That would be your data intransit.
(14:01):
As an example, when we'd havehard drives and we'd be moving
data from one location toanother because we'd have to put
them on hard drives.
At the time the thumb drivesweren't quite big enough you
would have specific controls inplace for that data while it's
being moved, and that's aphysical move of the data, not
just necessarily sending itelectronically.
So you just have to determinewhat would work best for your
(14:24):
company and what works best inthis specific situation, and
this is where you have to beinvolved directly with your data
owners to understand what arethey trying to accomplish.
Data in use these are proceduresfor accessing and processing
data clear desk, clear screenpolicies, workstation security
and restricted printing.
These are all data in useaspects.
You need to kind of have thatdefined and you need to have
(14:47):
policies defined specificallyrelated to it.
Data at rest requirements forstoring this would be encryption
at rest, which we all know ifyou've listened to this podcast
at any length, data is reallyvery rarely ever at rest.
But you need to have encryptionin place.
You need to have physicalstandards, maybe physical
separation.
If you are in a data center,does the data center have
(15:07):
physical controls in place toallow or not allow people access
to potentially your data aswell, those are all part of the
things that need to beconsidered in the handling
practices Information and assetmarking and labeling.
So you have the assets that arethere, both digital and physical
.
You need to have them properlymarked.
If it's digital, then you'redealing with the digital aspects
(15:30):
that you would be in yourdocumentation Maybe say it says
top secret.
Or if you're dealing with thephysical assets, such as a hard
drive or a computer, there'slabels specifically on those
devices saying that this one isclassified, top secret or not.
This also helps users and thesystems apply the appropriate
safeguards.
It makes you also keep in mindwhat kind of systems do you have
(15:52):
.
It also highlights if, for somereason, someone's moving
equipment around, they don't puta classified system in an
unclassified location.
So there's lots of really goodaspects around information,
asset marking and labeling.
Okay so, as we continue inDomain 2.2, you're establishing
information and asset handling.
We're talking about securedisposal and destruction, so you
(16:14):
need to define methods forsecurely disposing of the
information and the assets oncetheir lifecycle of their
existence overall product hasended, right?
So if your data's ended, how doyou adequately destroy it?
If your systems are completelydone, you don't need them
anymore, how do you destroy,slash, reprovision them?
Whatever you're going to do,this also ensures the data is
irrecoverable.
If you're dealing withdegaussing, there's methods for
(16:36):
that, such as physicaldestruction.
You use a degaussing formagnetic.
You could use a shredder todestroy the hard drives.
Those are different aspectsthat you would put in place.
You could do cryptographicerases, where basically, you're
using crypto on it and you can'tever get access to it, or
secure overwriting, which is oneof the DOD's aspects, where
you're just writing bits overthe top of it.
(16:57):
Multiple passes and so forth.
Roles, responsibilities forhandling you need to clearly
define the responsibilities ofthe data owner, the custodians
and the users in adhering to anestablished handling procedures.
You need to make sure that yourpeople are trained and they
have the proper requirements.
That are all relative to theroles.
When I talk about training,it's not just you see a CBT, you
(17:18):
actually in some cases have tophysically walk them through,
especially if they're doingdestruction.
Where do they pick this harddrive?
Who are the people that signoff on it?
There's usually a lot that goesinto it.
You don't just go okay, well,hey, I'm going to drop off this
hard drive at this location.
There's usually a sign forprocess.
So, and there's also with theaccountability of you're taking
(17:39):
hard drives to a location, howare they signing off for them
when they accept them?
So there's a big whole ordealthat goes into that.
You need to implementaccountability mechanisms again
for noncompliance.
So if somebody decides not todo what you've asked them to do,
what are they accountable for?
What are the ramifications fornot doing it?
That all is called out in theroles, responsibilities for
(17:59):
handling.
Okay, so now we're in domain2.3, provisioning resources.
So you have to figure outinformation and asset ownership.
So we talked about this justbriefly and we're going to kind
of go over a little bit more ofthat.
What are those folks?
You have a data owner, datacustodian, data steward and then
asset owner.
So the data owner is a businessunit or individual, often
(18:21):
senior management that isassigned to it.
Now you have seen this in thecase where senior management
doesn't even know that they areaccountable for this, but
they're ultimately accountablefor the protection of the
specific data assets.
They determine classificationand the potential acceptable use
.
You're going to have to, insome cases, walk them through
and help them with thissituation.
Your data custodian this is anindividual or department
(18:42):
responsible for technicalimplementation and maintenance
of security controls to protectthe data specifically, and then
this is directed by the dataowner.
So the data owner, the CEO orwhoever large executive they are
the ones that are going to tellthe data custodian that what
they should do and what kind oftechnical implementation and
security measures they shouldput in place.
(19:03):
Now the data steward thisfocuses on the data quality,
integrity and ensuring theircompliance with policies and
regulations.
I don't always see the datasteward, but you may get called
out on the CISSP exam.
I definitely see data owners.
Custodians definitely see thosefolks.
The data steward again they arefocused specifically around
compliance with policies andregulations, and so that would
(19:25):
be that term that would comeback to that Asset owner.
This is the individual ordepartment accountable for
protection and value of thespecific assets or systems, and
this could be the system owner.
It could be the applicationowner.
That is what they call theasset owner.
Now, clear ownership isimperative when you're dealing
with accountability for thesesecurity decisions and risk
acceptance.
(19:45):
You need to deal with this andif you haven't, once you define
the data itself you need.
The next step is having reallystrong outlined who are the data
, owners, custodians and soforth.
That is just a crucial part inthis overall process.
Now, asset inventory thepurpose of this is to create a
comprehensive, accurate andup-to-date record of all
organizational assets.
(20:06):
Having an asset inventory foryour to create a comprehensive,
accurate and up-to-date recordof all organizational assets,
having an asset inventory foryour company, is a very, very
important part, and it's anasset in and of itself.
This includes your hardware.
This would be servers,workstations, device, mobile
devices, anything along thoselines, as well as database files
, phi and so forth All of thatintellectual property.
All of that is an importantpart and the key aspect, as well
(20:28):
as knowing even the physicallocations of where these assets
are living.
Too often I've seen it wherethese systems are sitting in a
closet.
I've had one in a bathroom oncebefore.
It's sitting up above.
I've had one actually on thefloor sitting next to a toilet.
So you know, all of those arereally bad places, honestly, but
you, just you have to knowwhere all of it is sitting.
(20:49):
Now the attributes that would becaptured would be for your
asset records, would be a uniqueidentifier, location, owner,
criticality.
All of those would bepotentially set up as some sort
of metadata within the assetitself, and it's an important
part, especially if it's networkconnected.
If you can have an idea ofwhere these systems are located
based on their network activity,that is a huge asset,
(21:10):
especially since, if you can sayit's in closet one, down the
road from building XYZ right?
Obviously you'd have a littlebit more brevity than that, but
ultimately you want to have somesort of naming convention that
helps you with those differenttypes of attributes, to have
some sort of naming conventionthat helps you with those
different types of attributes.
Now, the benefits of this it'sagain it's essential for risk
(21:31):
assessments, vulnerabilitymanagement, incident response
and compliance.
You got IR teams.
They need to know where allthese systems are at your
vulnerability management.
Also, is this a system that'sexternally facing or is it
internally?
All of those pieces areextremely beneficial when you're
dealing with your overallassets Domain 2.4, manage Data
Lifecycle.
So your data roles we talk aboutthe different types of assets.
(21:52):
Now we're going to talk aboutdata roles.
You have your data owner, youhave your data controller, you
have your data custodian, yourdata processor and your users
and the data subjects.
So we talked about assetsbefore, but now you're going to
be getting into the data.
Specifically, data owners theseare again back to the business
unit or individual often seniormanagement as well and they are
(22:12):
ones that are owning the data.
This one is a little bit morecloser to what people will
understand yeah, okay, I own thedata.
You'll see more people thatwill actually take ownership of
the data because they work on iton a daily basis the assets,
sometimes, not so much the datacontroller this is a person or
an entity that determines thepurpose and means for processing
(22:33):
personal data.
You'll see this vary a lotwithin the GDPR world and realm,
and it's all coming down to thedata itself.
Data controllers are highlysought after within the European
Union.
We don't.
We have a few of them here inthe states I've seen them, but
for the most part, it's in theeuropean union is where I've
interacted with them.
Your data custodian these areindividuals or departments
(22:55):
responsible for technicalimplementation, maintenance and
security of the data controls,again directed by the data owner
.
So the owner's the one that'sultimately responsible and they
pass that accountability notaccountability, but that help or
activity down to the custodianto do the work on a daily basis.
Your data processor again, thisis an entity that processes
(23:15):
personal data on behalf of thedata controller.
This is very common in theprivacy regulation space within
GDPR, so your data controllerswill handle it locally.
They then pass it up to thedata processor and they're the
ones that handle it from thedata controller.
On a much larger scale, usersand data subjects these are
individuals whose data is beingprocessed or who interact
(23:35):
specifically with the data.
It's pretty much as it sounds,users and the data subjects.
They're the ones that have thedata.
They're the ones that alreadyhave their data being used.
I just said data about 5,000times, so I hope that makes
sense when it comes to dataroles and related to domain 2.4.
Now, as we roll into datacollection, you need to
establish policies andprocedures for legitimate and
(23:58):
secure acquisition of the data.
Again, it's important that youare collecting all of this
information.
What are you doing with it?
Where is it being stored?
What is people'sresponsibilities with it?
This comes down to establishingthe policies and procedures for
that use.
You also need to ensure dataminimization.
This is collecting only thenecessary data and the purpose
for limiting using data only forits stated purpose.
(24:20):
You don't want to be collectingdata just for the sake of
collecting it.
One.
It can add a lot of legalissues to it.
Yeah, it can add more legalliability as time goes on, but
you really need to make surethat you have a good plan around
data collection and dataminimization.
Data location this is whereyou're understanding where the
data is physically and logicallystored.
(24:42):
This is an important part,especially when you get into
some countries.
They require data localizationin their country or in a country
that's part of, let's say, theEU, and moving the data out of
that country can be a bitproblematic.
I ran into this dealing withChina moving data in and out of
China.
There's specific informationthat is not allowed to leave,
(25:02):
and then you have to be.
This again comes back to dataclassification understanding
what data is out there and whereis it being stored.
It's crucial for complying withdata residency and sovereignty
laws, which you will run intoand becoming more and more
problematic.
You may even get to the pointwhere data sovereignty may
require to be stayed within thestates of the United States and
(25:22):
various states themselves.
We're seeing bits of that.
I don't know if it'll ever getto be that granular, but it's
becoming more and more.
People are focused on theirinformation and where that
information is being sent andsold to Data maintenance.
This is ensuring the accuracy,completeness and consistency of
the data through its entirelifecycle and so often you'll
(25:43):
see people will get they'llstart this data process, but
they don't think about thebeginning and end of this
overall life cycle and what doesthat entail?
You need to have accurate,complete and consistent data
throughout the entire processitself.
This would include patchingdatabases, regular backups,
integrity checks.
When you're dealing withbackups, I was working with a
(26:04):
company and ensuring that allthe backups sent to the cloud
had antivirus type malware scansdone on them.
One of the things the bad guysand girls will do is they will
install malware in a system, letit sit there for 90 to 120 days
before they activate it withthe thought that the backups now
include the malware.
So when they activate it andthey go to basically do
(26:26):
destructive malware, people goto the backups, pull the backups
down and then the malware isstill there.
So you need to really have thatincludes the integrity of the
data.
That's the data maintenancepiece of this.
That's an important part of anyorganization Data retention,
defining and adhering topolicies for how long the data
must be kept.
This is based on legalregulatory compliance and other
business requirements.
(26:47):
Depending on if you're in thebanking industry, it's a very
different number than if you'rein the manufacturing space.
So how long are you going tokeep it?
I would also recommend thoughthis comes down to data
classification you only keep thedata that is most important to
you.
You do not just keep everythingbecause one it opens you up to
legal discovery.
It also opens you up not justkeep everything because one it
opens you up to legal discovery.
It also opens you up to just alot of cost.
(27:08):
Maintaining all this data canget very expensive, and this
information just sitting in adatabase someplace just adds up
cost after cost after cost, andit's just not worth it.
It truly isn't.
So you need to balance thebusiness needs with the storage
costs and your potential privacy.
Concerns.
Data remnants this is theresidual data that remains on
(27:29):
media after it's been erased orattempted deletion, and we
talked about this just brieflywith data destruction.
This is the information that'sstill there, and you need to
understand that simply deletinga file does not remove the data.
If you're dealing with harddrives, deleting the file really
in most cases, is deleting themarker or deleting where it says
(27:49):
the data is stored.
Once it deletes that, then whatends up happening is this data
is still resident on the harddrive.
It just eventually getsoverwritten as more data is
added to the computer.
But that's where it's importantthat you actually physically,
will go through and rewrite overall the sectors on these hard
drives and understanding it andthe fact that residual data does
(28:10):
exist and there's hard drivesand there's data storage
capabilities in everything.
So you truly need to understandwhere's your data going, what's
it touching and where's itbeing stored.
Data destruction this is theprocess, obviously, of
completely and irreversiblyremoving data from the storage
media to prevent unauthorizedrecovery and we kind of talked
about that as well related toshredding, degaussing,
(28:31):
cryptographic erase All of thosemust align with your
classification and retentionpolicies.
This will prevent the dataremnants from occurring.
So you can see, as we arebuilding on these in domain two
from domain one and also justthrough domain two, they all
build upon themselves and havinga good strategy around all of
this is an important part of anyorganizational data security
(28:53):
and information security program.
Domain 2.5, you ensure theappropriate asset retention, end
of life or end of support.
So when you deal with assetretention, this goes beyond just
the data, physical and logicalassets.
These includes the life cyclethat impacts security.
And when I say life cycle, whatexactly does that mean?
(29:13):
It means from the time that itwas birthed you have a baby data
to when it is actually goingthrough the entire destruction
life cycle and it dies.
So often data is birthed, it'smanaged, it's manipulated and
then it just gets stuck in acorner someplace and, because
it's not old like me, it doesn'teventually die.
It just sits there and it justwaits to be discovered once
(29:35):
again, which can cause all kindsof drama right, legal drama,
also bad data drama, all kindsof things and you don't want
that to happen.
The policies must be defined forhow long and the types of
assets that are going to be keptand operational and when should
they be retired.
Many companies will have a datadestruction policy where after
(29:55):
if you haven't touched your datain three years, you need to
destroy it, and those are reallygood things.
Now there is a downside, right?
If you have data that isextremely valuable and you spent
years building it, and then yougo and destroy it, well, that
can be cost effective orbusiness effective, and so you
don't want to do that.
You want to have a good plan todeal with that data, that is my
(30:21):
super secret IP, that I amprotecting it for the long term.
This balances business needswith security risks, compliance
and requirements, and then theoperational costs that go with
it.
End of life and end of support.
Your end of life.
This is the point at which thevendor stops marketing, selling
or offering a new feature.
You will run into problems likethis, and Microsoft and all
these other manufacturers do runend of life.
Hence, back to the windows 95and those nt systems.
(30:42):
Yeah, they're end of life,they're long gone and they
should be dead, but guess what?
They are still out there.
Um, if they may still receivesupport in some of these end of
life situations.
Uh, but it does begin the endof the retirement phase.
When you're dealing with end oflife systems.
Yes, when they when they say,hey, this one is ending in April
of 2025.
Okay, cool, then we will offerextended support for two more
(31:05):
years for a price of X.
Now, that gives you two moreyears as an off-ramp.
If you haven't already planned,however, the other gets can get
real expensive, real quick.
A lot of times I've seen ityeah, we've got the off-ramp
planned and then the two yearscomes and goes and they're like,
oh, we got nothing.
And then you go in a situationwhere your systems are out of
support and now they'revulnerable and that's bad,
(31:26):
that's not good.
End of support this is thecritical date when the vendor
completely ceases operations ofany form of support.
This includes security patches,bug fixes or any sort of
technical assistance.
That's a bad place to be.
Security implement orimplications of end of support
operating systems, applicationsand hardware beyond their end of
support date obviously exposethe organization to risk.
(31:48):
You have to decide if that riskis substantial or not
substantial for you, and sounderstanding which ones are end
of life and which ones are endof support is a good place to be
.
So know that.
Going into it where you're at,continuing on to 2.5 and end of
life and end of support.
Some key considerations whendealing with end of life and end
(32:08):
of support management Proactiveplanning important part of this
entire plan, like we kind ofmentioned, upgrades,
replacements and secureretirement should be thought of
and considered.
Risk assessments.
You need to do a riskassessment of these systems that
you're going to continue to usebeyond the end of life and end
of support, and there needs tobe documentation associated with
(32:30):
this and there needs to besign-off from leaders on that.
Yes, they are accepting thisrisk.
Especially if you obviously aregoing to continue to use it.
You need to have sign-off onthat.
And if you're a security personthat's going through this, you
need cover.
Sorry, you just do.
Someone is going to come backand say why, when this thing
gets hacked, why did we allowthis?
And then you pull out the pieceof paper.
(32:50):
Now, you still may get fired,but at least when you pull out
the piece of paper, the personwho signed it, they get fired
too.
So you go out together, smilingas you tiptoe down the tulips,
down to whatever the golden road.
See, I got to use a Kansasanalogy the golden brick road,
yellow brick road.
Yeah, that's it.
See, I've been here how manyyears and I still don't even
remember that.
Anyway, you need to have thatdone Again.
(33:14):
Migration replacement strategydevelop and execute plans for
migrating data to do new systemsand then the functionality to
support these assets so youmigrate them to new systems.
You also have to have thesystem stood up.
Things to consider is if youare in a country that you have
to buy new equipment.
Is it such as china?
Is that they require you to buysystems from within the company
(33:34):
as a country itself?
Then you got a whole differentanimal.
When you're dealing withintellectual property protection
, secure decommissioning, youneed to secure the end of life
and end of support.
Assets are securelydecommissioned and disposed of
according to your datadestruction policy.
So again, you've got to buildthe policy, you've got to
destroy it appropriately.
(33:55):
Compliance Verify, theretirement process aligns with
all relevant regulatory andindustry standards and it meets
what the kind, what you're.
If you're in the bankingindustry, how does it meet those
standards?
Uh, you, you may be surprisedif you're following.
There's actually a really goodframework out there on banking
called cri.
I highly recommend it.
Um, that will help you a lot,especially if you're in the
banking world.
(34:15):
Domain.
26, determine data securitycontrols and compliance
requirements.
So data states, data in use, intransit and at rest.
We kind of talked about thesealready, but when you're dealing
with data states, you need tounderstand what because of your
current data that's beingprocessed right now, what are by
the user of the application,what are the security challenges
(34:36):
that may be in place related tomemory protection and,
potentially, insider threat.
This would be ram, cpu caches,active applications and so forth
your data in transit, obviously, working across your network,
within the internal network orbetween cloud services.
Big one is sas right, andyou've got different cloud
services that are communicatingbetween them.
An important part is you needto have a good security focus on
(34:59):
securing the variouscommunication channels, data at
rest, data that is storedphysically on the media, like we
talked about itself.
You need to protect that medium.
Do you have, if you're using,usbs?
Is it encrypted?
How do you manage theencryption on those keys or on
those USB drives?
Anytime I dealt with any sortof data that left my
organization that needed to beon USBs it had encrypted thumb
(35:20):
drives that it was being used orencrypted hard drives in which
it was being used.
Scoping and tailoring, standardselection.
So when you're in the processof determining which security
controls or standards areapplicable for the specific
system, organization or data setbased on its context,
criticality and regulatoryenvironment, you need to scope
your data.
You need to scope your systemsand the controls that are tied
(35:42):
to it.
If you have a good frameworkthat you're going to follow
let's say it's ISO 27001, or,like I mentioned the banking
industry, cri.
That will really help you a lotwith your overall scoping and
to understand the specificsystems and what are the
controls you should have inplace for those specific systems
.
Tailoring this is ofcustomizing and adjusting the
(36:02):
selected security controls fromthe standard or framework.
So again to talk about CRI, andthe framework says you must
have, I'm going to say, 12character passwords involved
with your protection of your IPor protection of your data, and
you come in and you say well,you know what I'm going to
tailor that to having 20characters and biometric access
(36:24):
to gain access to all thesesystems.
So that could be your choice,right?
If that's the case, that wouldbe what they call tailoring, and
this ensures other controls areeffective and not overly
burdensome.
Now, that would probably beoverly burdensome, but you may
tailor them specifically basedon what the needs of the data
owner wants for that specificdata.
You just have to determine whatis the best aspect for you.
(36:45):
So, scoping and tailoring.
Now, data protection methods.
What are some of those?
We talked about encryptionalready.
We're dealing withcryptographic techniques,
obviously at data at rest andtransit and in use.
Where possible, this could beencrypting the data as you're in
the tunnels that are goingbetween there.
Cryptographic techniques,obviously at data at rest and
transit and in use, wherepossible.
This could be encrypting thedata as you're in the tunnels
(37:06):
that are going between there.
It could be the data itself,specifically Access controls.
This would be implementing anauthentication and authorization
mechanisms to restrict who canaccess, modify or delete this
based on their permissions.
And again, deletion is a bigfactor.
You know, modifying is onething, but if I can go in and
wipe everything that you have,that's a much bigger deal and it
(37:26):
can be much more problematic.
Data masking, tokenization andpseudorandomization See, that's
a big $10.
That's more like about a $30word.
I can't say very well.
Coming from Iowa and my thirdgrade education, I struggle.
But that being said, how do youmask it?
How do you keep it from beingknown that this is the 11 herbs
and spices for Kentucky FriedChicken?
(37:47):
You would not say that.
You would say herbs.
And yeah, kentucky.
That doesn't tell me anythingother than maybe a guy by the
name of Herb thing, other thanmaybe a guy by the name of herb.
But all to all, you want tohave techniques to obscure the
sensitive data while maintainingits usability for testing
analytics and reducing theprivacy risk.
Now, data protection methodsthese are specific technologies
(38:09):
that you can use to protect thedata outright.
Digital rights management thisis your drm.
This is used to control accessand usage of copyrighted
materials and sensitive digitalcontent.
You can restrict copying,printing, forwarding of the
specific files themselves.
You have DLP.
These are systems that detectand prevent sensitive data from
leaving the organization throughemail, cloud storage or
(38:30):
removable media.
All of these aspects are inplace and this would be designed
specifically to protect thisinformation over your
organization's control.
Then you have cloud accesssecurity brokers CASBs.
This is a security policyenforcement point out in the
cloud between your cloud serviceconsumers and your cloud
service providers.
This combines and interjectsenterprise security policies as
(38:54):
cloud-based resources areaccessed.
It basically sits in the middleand if you have a policy that
says you can't access certainvirtual private clouds, it will
block that, or can you accessspecific data within the virtual
private cloud, it will stopthat as well or allow that,
depending upon the situationthat you have.
They provide visibility, datasecurity, threat protection.
(39:15):
They're a really good tool.
They have worked very well togive you that overall insight of
your cloud environment and it'sjust not like an extension of
your security operations center.
These CASBs can be very usefulfor that specific purpose.
That's a whole differentconversation for another time.
But you need to understandthose different types of data
protections DRM, dlp, casb.
(39:36):
Thank you again so much forjoining me today.
Again, I've got plenty of freeresources.
Head on over to CISSP CyberTraining.
You can get access to all myfree resources.
I have weekly podcasts.
I have a three to five monthstudy plan.
360 questions are all availableto you.
My blog there's all kinds ofcontent that's there.
You can also check this out onYouTube as well.
So all of that information isthere in a curated form for you
(39:59):
specifically, and it's available.
It's awesome.
It's a lot of free, free stuff.
The goal is to get you as muchas I can for your self-study
options as possible.
They have paid resources aswell.
I have over 700 CISSP questions.
I have 36 plus hours coveringall the CISSP content.
But it goes beyond just thecontent itself.
It's in all the information youneed to be a security
(40:20):
professional.
I have audio video content.
I have deep dive content,mentoring options as well, and
then, if you need virtual CISOor IT leadership and consulting,
that is all available to you aswell at CISSP Cyber Training.
All right, I thank you so muchfor going through this rapid
review with me and I hope youguys have a wonderful day and we
will catch you all on the flipside, see ya.
(40:41):
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes,
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining and you will find a
plethora, or a cornucopia, ofcontent to help you pass the
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
(41:05):
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
New Heights with Jason & Travis Kelce
Football’s funniest family duo — Jason Kelce of the Philadelphia Eagles and Travis Kelce of the Kansas City Chiefs — team up to provide next-level access to life in the league as it unfolds. The two brothers and Super Bowl champions drop weekly insights about the weekly slate of games and share their INSIDE perspectives on trending NFL news and sports headlines. They also endlessly rag on each other as brothers do, chat the latest in pop culture and welcome some very popular and well-known friends to chat with them. Check out new episodes every Wednesday. Follow New Heights on the Wondery App, YouTube or wherever you get your podcasts. You can listen to new episodes early and ad-free, and get exclusive content on Wondery+. Join Wondery+ in the Wondery App, Apple Podcasts or Spotify. And join our new membership for a unique fan experience by going to the New Heights YouTube channel now!
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!
Fudd Around And Find Out
UConn basketball star Azzi Fudd brings her championship swag to iHeart Women’s Sports with Fudd Around and Find Out, a weekly podcast that takes fans along for the ride as Azzi spends her final year of college trying to reclaim the National Championship and prepare to be a first round WNBA draft pick. Ever wonder what it’s like to be a world-class athlete in the public spotlight while still managing schoolwork, friendships and family time? It’s time to Fudd Around and Find Out!