August 14, 2025 • 34 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
Dive deep into the critical world of configuration management with Sean Gerber as he unpacks Domain 7.3 of the CISSP exam. This episode balances theoretical knowledge with hard-earned practical wisdom, helping you not only pass your certification exam but implement effective security controls in real-world environments.
Sean begins by exploring recent IT employment trends, highlighting the growing importance of specialized skills in networking, cloud, and software development. He notes how employers are increasingly valuing practical skills and certifications over traditional four-year degrees, creating new opportunities for security professionals.
The heart of the episode examines the foundational elements of configuration management – from asset discovery to change control processes. Through relatable examples, Sean illustrates how unauthorized devices create security blind spots and why automated tools like SCCM are essential for maintaining secure environments. He breaks down the four key activities of security configuration management: identification, control, status accounting, and verification/audit.
Perhaps most valuable is Sean's candid discussion of implementation challenges. Rather than presenting idealized scenarios, he acknowledges the messy reality of managing configurations in complex organizations with legacy systems. His practical advice includes focusing on operating systems and devices first before tackling the more challenging application landscape, and implementing changes through a multi-year approach rather than attempting overnight transformation.
Ready to master configuration management and move closer to CISSP certification? Visit CISSPcybertraining.com where you can access training resources on a pay-what-you-wish basis. What makes this program truly special is that all proceeds support adoptive families through Sean's nonprofit foundation. Learn essential cybersecurity skills while contributing to a meaningful cause!
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge.
Speaker 2 (00:24):
All right, let's get started.
Hey all, sean Gerber, withCISSP Cyber Training and hope
you all are having a wonderfullyblessed day today.
Today is an amazing day.
We're going to be talking aboutsome awesome stuff as it
relates to the CISSP Domain 7.3.
So you know, we're marchingdown the CISSP training path and
trying to get.
The overall plan is to get youas much knowledge as you can to
(00:46):
help you pass the CISSP exam.
I keep getting tons of emailsfrom folks that have passed the
CISSP and they're very excitedabout that and they do enjoy the
podcast and the overalltraining.
So I guess that's a little bitof self-promotion.
But bottom line is I'm doingthis for two reasons.
One is so that you pass theCISSP exam because I failed at
(01:08):
it and we want to make sure thatit gives people an opportunity
that may not have some of theexpertise and knowledge to be
able to, or at least have maybenot all of the knowledge you
need to pass the CISSP, to giveyou that point, that thing that
you need to get you across thefinish line.
And the second thing is is wewant to promote the site and
offer up our services for a way,a price, that can then fund our
(01:30):
adoption for or not ouradoption our nonprofit for
adoptive families.
So the overall goal is I wantto use this money, that any
money that's gathered from theCISSP Cyber Training Plan is.
All of that money goes to fundthe non-profit that my wife and
I have set up for adoptivefamilies.
So, again, you got to give back, you got to provide stuff for
(01:53):
other people, because in realitythat's all what we're here for.
So, real quickly, before we getstarted in today's plan we're
going to get into an article Isaw on Computer World and it
talks about how many jobs areavailable in technology in the
United States.
Now, interesting part of thisI've had some individuals reach
out to me that have been laidoff in security not necessarily,
(02:14):
no, not security in the ITworld and they are trying to
pivot themselves into thesecurity space so that they are
better positioned for the eventof a potential downturn when it
comes to IT professionals.
Now, if you look at thisarticle from Computer World, it
talks about that there are rightnow, more than 7,500 new
workers in IT.
This just basically this pastmonth.
(02:37):
So that's a lot right.
So that's the month of June andindustry added about 7,500 new
US workers more than any monththis year, so it looks like it's
growing.
I would say that's probablygoing to be some pivoting, and
where that means is that asfolks move into new sectors of
the IT space, there's going tobe new jobs created, but I do
(03:08):
feel there will be jobs that aregoing to be destroyed or
repositioned, and so if you area person that's working in the
IT space and you want to havesome more experience, obviously
cybersecurity is a big factor.
If you have some of that andyou can gain some of that
knowledge, that would bevaluable.
But one thing I thought wasinteresting in this overall
article they talked about a lotmore certifications that are
happening and therefore there'salso some other key parts.
That I thought was interestingas it relates to college degrees
(03:31):
and when we're talking aboutoverall employment, you guys can
check it all out and look atthe different details around it.
But they said the greatestuptick has been in software
developers.
Obviously, I can see thathappening as we are becoming
more and more dependent upon thesoftware development space and
those individuals.
You can see that that will havea significant growth in that
(03:52):
area.
But one thing that I've seen itcoming by myself over the past
few years, including when I washiring individuals, is that we
removed this requirement ofhaving a four-year college
degree requirement.
So if you're a college person,you might be going.
Well, why am I getting mycollege degree?
I feel that if you have adegree in IT, that's valuable.
(04:13):
I think that still having adegree is in many cases, allows
you to check that box, to get inthe door for an opportunity.
However, I do believe, andstrongly believe, that this is
not a requirement.
Removing having a four-yearcollege degree is not a
requirement in IT.
It gives you some experience,some I would some say in some
(04:37):
knowledge base, but when itcomes to the overall making you
a better fit for a role within acompany the four-year degree
isn't necessarily what isrequired.
In my humble opinion and again,that's just my opinion After
teaching in college for a coupleof years and then hiring people
from colleges and now being acontractor working for other
(04:58):
companies, I don't see it as arequirement.
I do see it as a nice to haveNow CompTIA.
They had been the ones thathelped get some of the numbers
around this article and CompTIA,if you're not aware, is one of
the main certification companiesout there.
I've gotten many of mycertifications through CompTIA
as well.
But they talked about networksupport specialists, it support
(05:19):
specialists, system admins,network architects and data
administrators.
So all of those are thedifferent kinds of growth
opportunities they saw in themonth of June.
Bottom line is if you aregetting into cybersecurity, I
would highly recommend that youstrive to be into the
architecture space, and I'd alsostrive very strongly to
understand networking Afterdealing with employees.
(05:42):
That is not a well-known topic.
Networking isn't, and I willpoint to myself.
In some respects I understandnetworking, but I don't have the
same level of knowledge that Iprobably need to have related to
the networking environment.
So grow your knowledge in thatspace.
It can be extremely valuable,especially as people move and
migrate into the cloud.
(06:04):
Okay, so that was the mainthing I want to talk about.
This article as it relates tothe college degrees talk about.
Jobs are increasing in theUnited States in the IT space,
but they're becoming veryspecialized in databases.
I see more in cloud and thenalso in software development.
Those are some of the key partsthat came out of this article,
so let's go ahead and let's rollinto what we're going to talk
(06:24):
about today.
Okay, so this is under domain 7,7.3, and we're going to be
getting into performingconfiguration management.
Now, this is taken out of theCISSP's ISC squared book that
they have and that's theCertified Information Systems
Security Professional OfficialStudy Guide.
Now, this is based on the 2024book.
I will say that the fact isthat the 2021 and the 2024 have
(06:50):
not really changed much at all.
The content has not.
There's been a small subtleincreases, but mainly the only
increases have been around whatquestions they're asking.
So this content will be goodfor 2024 and it will help you
pass the test, no doubt.
Okay, so let's roll into 7.3.
So, as we're dealing withconfiguration management and now
(07:11):
this is gonna be a subjectwe're gonna go through a little
bit here that is covered inother areas of the CISSP, but
this kind of focused thissection in 7.3 specifically
around what is configurationmanagement.
Now we're going to get intoconfiguration changes, change
control and so forth, but whenyou're dealing with security
(07:32):
configurations, asset discoveryis a key concept to ensure you
have some level of protectionfor your enterprise networks,
and that means you must have theability to discover what assets
are on your network.
If you don't have a goodunderstanding of the assets that
are on your network, it'sreally hard to protect them.
I will say it's one of thebiggest challenges that a large
organization will have is aroundasset discovery, especially if
(07:56):
you allow your employees or youallow individuals within your
company to be able to installassets without a proper change
control process.
And what I mean that is that ifyou have an individual at a
remote location let's say I'm inWichita Kansas, let's go Tulsa,
oklahoma, and you have a smallshop in Tulsa, oklahoma, and
(08:17):
because of that, your ITprofessionals are in Wichita,
kansas, so they're two and ahalf hours away.
So what you've done is you sayyou know what I'm going to allow
you to have admin access to oneor two people there in Tulsa so
that they can install devicesdown in Tulsa.
For you, which is a logicalthought process and that would
be one that you would probablywant to drive towards is having
(08:39):
one, maybe two people with theability to do that, or have the
remote capability so thatsomeone can do the remote access
or the remote adding of thesedevices to your network.
But what will happen?
What you will see is, as thisone or two people down in Tulsa,
oklahoma decides they'reputting devices, well, then the
manager down there will come upto them and say, hey, bill, I
(09:01):
need you to add this to thisnetwork or I need you to add
that to the network.
Them and say, hey, bill, I needyou to add this to this network
or I need you to add that tothe network.
And next thing you know, billhas added 30 new devices to the
network in Tulsa and nobodyknows about it.
And so now you've got the onlypeople that know about it is
Bill, because maybe Bill'ssupervisor came to him, maybe
the plant manager came to him,maybe somebody else came to him.
Next thing you know, it wentfrom having one device to 30
(09:23):
devices and no one really has atrue understanding of what is in
the network.
And this is a really bad placeto be, because this is where now
you have all these devices thatare potentially vulnerable,
that, or could be vulnerable inthe future, are now open for
discovery by bad people as wellas good people.
So you need to have an assetdiscovery plan designed around
(09:46):
your environment, and it doesprovide the understanding of the
overall risks to yourenvironment.
It does help you understandwhat is going on.
It helps you basicallyunderstand how are the different
risks that are involved.
And if you understand thoseassets, like, say, for example,
you have all Windows 95 machines.
So some of you folks might belistening to this going what is
(10:06):
Windows 95?
It is something really old,really archaic and you would
think should never be run in anetwork.
But yet it does.
It is on networks, manynetworks.
It's also in many processcontrol environments.
So that is a big risk.
It does allow you the one thingwhen it comes to overall
understanding configurations.
It will also allow you to trackand correct all authorized
(10:28):
devices.
So it allows you to have theability to manage these devices
both remotely and, obviously, inperson.
And then also, whatconfiguration management does is
it allows you to discover anyunauthorized devices within your
environment.
So I say any, that's a verybroad term, I would.
And this kind of comes out ofthe book.
The goal is that if you have agood configuration management
(10:51):
plan, you will discover any andall unauthorized devices on your
network.
Yeah, that's kind of a littlebit of smoke and mirrors, I'm
sorry, you know someone mighttell me.
Well, that's not right Now.
The book answer would be anyand all devices.
That's what the purpose of itis.
I would say that that's wrong,though, because you're going to
struggle finding any and alldevices.
You will miss some, you justwill.
(11:13):
But the goal, though, is thatyou miss very few, and then the
ones that you do miss, youquickly remediate.
So now security configurationmanagement.
This comes out of NIST 800-128.
The discussion around why youhave to have it, and then we'll
get into some more detailsaround change control and so
(11:35):
forth, but securityconfiguration management again
NIST 800-128, it's asoftware-based.
They have varioussoftware-based security
configuration managementsolutions to help you reduce
this plan, or the attack surface, I should say, within your
network, and what these are isthere's like.
Sccm is a good example of that.
That's software configuration.
(11:56):
It's Microsoft's product, andwhat that does is it provides
you ability to deploy patchesand equipment to various
locations within your network,and SCCM is one example of that.
There are many others, and thiswas that one from Microsoft,
but there's other softwareconfiguration management tools
that are out there as well, andthey are designed to help you
(12:19):
manage the operating systems,the applications Applications,
is it depends but the networkdevices as well.
The main thing you really wantto understand, and when it comes
to configuration management, isyou break these down into the
physical device.
You have the operating systemthat the devices obviously have
as their operating system, theirhost, and then you want to have
(12:42):
the applications.
Those are really the three mainattack vectors.
Now, there's a little bit moreinvolved in that as well, but
the device itself, if it's a VMor if it's a physical device,
your application or youroperating system, and then your
application.
Now, if you can realisticallyand we're talking about risk if
you can control the risk to youroperating system, that's a win,
(13:06):
and if you can do thatautomated, that's even a bigger
win.
If you can control the updatesto your device right beyond the
firmware and so forth, if it's apackage, if it's a virtual
machine and you package it up,if you can control that, then
that's a win.
When it comes to theapplications, they get very,
very convoluted and they alsohave a lot of application sprawl
(13:30):
, which means people will addapplications which may or may
not be fully supported, andthese SCM solutions are designed
to help you update theseapplications.
But the problem with that isthat they don't always update
well.
They do tend to break things.
And I would say, if you'regoing to focus on from a real
world perspective.
If you can get two out of thethree, that's a win.
(13:52):
That's a huge win versus whathappens in so many cases is
people feel they have to eat theelephant and they can't eat it
because it's so big, and I hadto break this down with us.
So if we can get the operatingsystems patched, awesome.
If we can get the devicespatched and updated, awesome.
And we can do this on a routine, automated basis, incredible.
(14:13):
If I can't get the application,well, let me get what
applications I can get and thenfocus on that, because the
applications will be huge and Iknow I've spent a little bit of
time on that, but I'm justtrying to focus and have you
guys understand.
The applications are one of thehardest things for you to update
and patch because there's justso many moving parts related to
it.
Now, when it comes torequirements, there are
regulatory requirements thatforce you to do this, that force
you to have a securityconfiguration so many moving
(14:33):
parts related to it.
Now, when it comes torequirements, there are
regulatory requirements thatforce you to do this, that force
you to have a securityconfiguration management plan.
That's PCI DSS, which isobviously your payment card
industry.
Then that's the data securitystandard.
They have Sarbanes-Oxley,that's your SOX, and then
they're also the MonetaryAuthority of Singapore, mas
that's another one as well.
(14:53):
Many of them will require youto have some level of security
configuration management.
Iso 27001 will actually havethat as well.
So they're just stating thatthey want you to have this
defined plan.
You use some software and youhave a plan to do so, versus
just kind of winging it.
Security configurations consistof four specific steps Now when
(15:15):
you're dealing with.
Step one is the asset discovery.
Step two is defining anacceptable security
configuration as a baseline foreach device type.
Step three is to ensure thesecurity baselines meet your
internal security policies.
Obviously, you want them tomeet what you have already in
place, or maybe make a change toyour internal security policy
and then manage devices based ona predefined frequency, based
(15:38):
on the specific policy itself.
So again, you want to updatethese once every quarter, once a
month, once every six months,once a year.
You have to have that definedbased on the policy you have.
If you have a policy that sayswe will update our devices once
(16:00):
a year, then you have yourproduct that is set up to do
that specifically as well.
Now, one other thing you need tothink about as you're relating
to configuration management isobviously your operating system
and your application support.
I kind of hinted at this alittle bit earlier is if you
have good support for yourapplications and your
application owners can get youthose updates and those patches,
this works well.
Again, where it runs intoproblems is because if you look
at a large enterprise, just tosay a very big company, you have
(16:23):
hundreds upon hundreds ofapplications, so updating them
can be extremely painful.
But if you have good ownershipof who owns those applications
and they can get updates fromthe vendors that have created
those apps, then it can go okay.
And I'm saying okay because itdoes not go well, let's just be
(16:44):
honest.
But at least if you have goodplans and good processes around
these applications, you can doit.
Os is different, right, becauseyou can control what operating
systems are put in your network.
If you don't control theoperating systems well, then you
have another, bigger problem.
So again, understandingoperating systems and the
(17:05):
devices that run them is anextremely important factor.
Policy flexibility is a key andsometimes we can become too
draconian to set in our ways asit relates to the policy,
stating I must patch every month, okay, well, maybe you need to
have a risk-based approach tothat.
Maybe that is something youneed to look at when it comes to
(17:26):
patching.
Do all my patches have to gothrough a manual change control
process?
Okay, is that flexible?
No, but some companies willrequire that and that's fine.
It's just knowing full wellthat that will add a lot of
bureaucracy to your company.
By adding all this bureaucracy,it will add time.
(17:47):
It will also add the abilityfor mistakes to occur.
I'm not saying you have to justgo and hit everything on
auto-update.
That could be very bad as well,very problematic.
So you need to have a goodunderstanding of your policy and
what you're trying toaccomplish.
Can you scale it?
Again, we talk about theWichita main campus and then you
have the Tulsa remote office.
(18:08):
Can you scale that to theremote offices?
Can your remote offices be inChina, malaysia, singapore?
How does that work when yousend up updates?
What does the networkconfiguration look like to be
able to do that?
So, again, scalability is animportant factor.
And then closing the operationalloop understanding.
How do you operate this andmake this happen from an
(18:29):
operational standpoint.
Again, these are notconfiguration management from a
book's answer is very simple.
It's just hey, you update thestuff, you have a good policy in
place, you update it routinely.
Hey, you're good to go, andthat can happen.
But it's from a greenfieldapproach.
When we say greenfield, itmeans bare bones, starting up
(18:51):
from ground zero.
From a greenfield approach,that could go well, but when
you're talking, you get droppedin the middle of a network
that's been around for 10, 15,20 years.
It's a lot harder and if theydidn't have a good change
management process in place, itcan be very challenging.
And I would say, if thathappens to you, plan on a
multi-year plan to get yourselfin a good position.
(19:12):
Do not I repeat, do not try todo this within a year if you're
in a large organization, becauseit won't happen.
Have a multi-year plan to makethis and get the processes in
place, the people to understandwhat they're doing and then get
the overall buy-in fromeverybody to make that happen.
Now, when we're dealing withanother part of configuration
(19:32):
management, we're going to getinto some key activities around
some aspects of this.
So you need to haveconfiguration identification.
This will establish baselines,like I talked about earlier,
about the product structure,function and the overall
attributes of it.
So, having some level todocument this via a spreadsheet,
whatever it might be, but youhave to have the ability to
(19:56):
document the initial hardwareand the software configuration
on that server.
It may be something as simpleas a spreadsheet.
It could be something morecomplex as a air quotes another
application that you have tomanage but you need to have some
way of identifying the overalldevices within your environment.
Configuration control is anotherfactor.
You need something that managesthe changes to maintain system
(20:19):
stability and minimize theoverall disruption.
Change control can be very,very disruptive and you need to
have those changes set up inplace to be able to do that.
Also, an example is like you'reapproving and implementing
security patches for anapplication.
There has to be an approvalprocess in place to do that.
My old company we used to havea very complicated approval
(20:41):
process that would approvemonthly patches.
We moved away from that to anautomated plan.
As it relates to Microsoft,anything that was
Microsoft-related was allautomated.
Why is that the case?
Well, because in many cases,their updates and their
management of their patches isbetter than what we were doing,
(21:01):
so why not do automate that?
From a Microsoft standpoint,there is a risk that you could
have an outage.
There's a risk that you canbreak things, but overall, the
amount of time that was spentand the risk that we received
from having delays in gettingour security implemented was a
huge factor, and so, therefore,we automated that process as
much as possible.
(21:22):
Configuration status accounting.
What this basically means ishow do you have a way to track
and report on your configurationitems?
Do you have a dashboard?
Are you managing that with yourpeople?
Do your senior leaders see thisdashboard and understand what
needs to be done, and this ishelpful because if you need some
level of horsepower, needs asenior leader to help you get
(21:46):
things moving, they will helpyou in that space.
So this is where the statusaccounting is an important
factor.
Configuration, verification andaudit.
This will ensure the compliance.
Accounting is an importantfactor.
Configuration, verification andaudit.
This will ensure the compliancewith the established baselines.
And then you regularly audituser access permissions against
the defined security policies.
Again, do you have a baseline?
Do you have policies in place?
Are you following your policies?
(22:08):
If you're not following yourpolicies, then one, change your
baseline to meet your policies,if that's truly what you need,
or modify your policies so thatit fits your baselines.
It's one or the other.
Just don't leave yourself in asituation where, well, the
policy isn't right, so we'rejust going to keep pressing
forward.
Policies are hard becausethey're documenting and it's
paperwork.
People don't like to do it, sothey just kind of do stuff.
(22:30):
You have to slow down in manycases to speed up, and this is
an area that you need toconsider.
Another part of changemanagement is understanding or a
configuration management ischange management.
Now, this is where you'rerolling out changes.
This would be around to theoverall goals then, to minimize
the level of disruption thatyour company may have, and this
(22:52):
is this.
Changes can be very disrupted,so it's important that you have
a really good plan in place tomaintain your changes.
If you are dropped in, you'reairdropped into a new
organization and you for.
One of the first things you needto understand is the change
control process, the changemanagement process that they
have in place.
This may be a change controlboard.
(23:14):
It could be along withemergency change advisory boards
.
They have a process.
It could be one person that isthe change control person.
It could be a group of peoplethat are doing that.
But you need to trulyunderstand if I want to
implement changes within myenvironment, how do I do that If
you don't have this within yournetwork that you work at, or
(23:35):
that, if you don't have thiswithin your network that you
work at or your business thatyou work at, you need to try to
implement something like it.
Depending on the size of yourcompany, it may be a very small
process, maybe once a month wedo this and you have the IT
director and you have maybe acouple of people from each areas
and we go, hey, we're going tobe deploying these changes.
We need to communicate withpeople what's happening and that
(23:57):
way they know what's going on.
It could be a very simpleprocess.
It could be very complex andlaborious.
I work at a company right nowthat is very complex and
laborious, but that's okay,that's what they do, that's what
works for them and that's fine.
They have figured out based onwhat they need, to make sure
that the change control processmeets their specific needs and
(24:19):
their regulatory requirements.
So, again, you just have todetermine what is going to be
best for your organization.
But this board, this changecontrol board they will
authorize changes, maintain thedocumentation and they will
ensure that it's done in aproper way.
They will review and approveany major software upgrades and
changes to your organization andthat's where this board is for.
(24:41):
You have your emergency changeadvisory board and this can come
by different names, likethere's an emergency change
board, emergency change advisoryboard.
You can name it any differentway you want to, but is there a
group of people that will handleany urgent changes that need to
occur and your organization mayneed those.
If something happens and youhave a patch that occurred and
you have to roll back a patch,they may go to the emergency
(25:05):
change board to go.
We got to roll this back nowbecause things are broken.
So they'll handle all urgentchanges that occur.
They approve from emergencypatches to fix a critical
vulnerability to making rollingback potential changes that may
happen within your organization.
So it just depends on whatyou're trying to accomplish
there.
But you will see it, especiallyif a security event or incident
(25:26):
would occur.
This emergency change managementplan you need to have that
developed and then changerequest process.
How do you initiate a changewithin your organization?
What is the process to do that?
Is it an email that you send abill?
Is it a ticketing system thatyou may have within ServiceNow
or another type of ticketingsystem that's there?
It could be a spreadsheet andyou put it in the spreadsheet.
(25:49):
But you need to have some sortof change request process.
Automating.
It is the best way you can dothis because it can get very
complex and very convoluted.
I would also define what isneeding a change.
One situation I've seen is acompany will require any change
that is ongoing, likeoperational type changes.
(26:11):
So say I need to tweaksomething and if I tweak it, I
need to put in a change request.
I've also seen it where in thesituation of company will go and
say if your change is going toaffect any person you know
impact the individual user, itmust go through the change board
.
Any person you know impact theindividual user, it must go
through the change board.
If it's not, if it's going tobe just a change to a
(26:32):
configuration on a file, anapplication, then you can do
whatever you need to do.
That does not need to gothrough a change board.
But if it's going to have adirect impact on an individual,
then you would need to gothrough a change board or at
least have a communication toyour CIO, cto, one of those
letting them know what isactually occurring.
Again, it comes down toempowerment of your people.
(26:53):
You have to decide how muchempowerment do you want to give
to your people?
Do you want it to all be withinthe change control process or
do you want to empower them tomake changes in your network?
It comes down to people, timeand resources.
How much do you have to be ableto manage all of this yourself?
So you need to consider havinga change control or change
(27:13):
request process in place.
Last thing around changemanagement you need to
understand the communicationpiece of this.
This is determining how thechanges are communicated to your
people to your people.
Now.
This can be done in a coupledifferent ways.
It can be sent through a poston SharePoint.
It could be sent through email.
It could be in a DM that's sentto all your individuals.
(27:35):
You need to determine how arethese changes communicated and
who are they communicated to.
One thing I did forget tomention when you're dealing with
changes, you may want toconsider a canary group, and
what I mean by that is that isthere a group of people that can
test your change prior to itbeing rolled out to the overall
populace, so that they may beindividuals or a bunch of IT
(27:58):
savvy folks that are willing toaccept a change on their
computers prior to it beingrolled out, and the purpose is
that if there's anything blowsup, it blows up on a small
subset of people versus everyone, so you may want to consider
having a canary group or a testgroup within your organization
before you roll out massivechanges to your company.
Sorry, I just thought of thatNow.
(28:19):
The other thing aroundcommunication, though, is that
you need to determine how it'scommunicated, and then how are
you going to notify the users onany upcoming system maintenance
that may be occurring?
Again, it can be as simple assending out emails, but in most
cases, if you're going to bedoing something that's broad
brush to the organizationespecially if it's extremely
disruptive you may use multiplecommunication channels.
(28:40):
You may use email along withposting on a SharePoint or
internal website of what'sactually going to be happening
with the change, and you alsomay tell your service desk or
your client support peoplewhoever's taking phone calls for
service requests that a changeis occurring, because one people
will call in and they didn'tget the memo, they didn't see it
(29:03):
on the website, they didn't payattention.
You're just going to have tothink about multiple ways for
this change control process tobe articulated and sent to
individuals within your company.
Now, as it relates to training,you need to develop a training
plan for configuration andchange management, and it's
important that you have this inplace one to train new people
that are coming on how thechange management process works
(29:26):
as well as any, and thatincludes employees as well as IT
professionals as well.
It's especially easy or helpfulwhen you're dealing with
helping your IT staff.
I will tell you that I've runinto more situations than I can
count of being dropped into anorganization and then trying to
figure out the change managementprocess, just to find out that
(29:47):
I've wasted a bunch of time notdoing the process the way it
should have been done or justdoing a process that really was
not required.
So having a way to train yourIT staff on the change control
process can be extremelyvaluable.
It will help you with reducingany waste you may have within
your company, but again, youmust have some level of training
(30:07):
any waste you may have withinyour company, but again, you
must have some level of training.
So, if you're paying attentionto the CISSP cyber training the
goal of this is to one.
I'm giving you the details youneed to help you pass the CISSP,
but also giving you thatreal-world experience as you go
into working at a new company,some things for you to keep in
mind.
It's the hacks of the ITcybersecurity world.
(30:29):
So, again, training is animportant factor because if you
can have it and this trainingcan be very, very simple Do not
overcomplicate it.
I've done that myself and I'veseen it done.
Time and time again, peoplewill overcomplicate the training
piece of this.
It could be as simple as this.
Is what you do you submit theticket to this to XYZ and then
(30:50):
you let Billy Bob know.
It could be that simple, right?
But just know that Billy Bobwill leave the company at some
point, so you've got to haveplans to deal with the loss of
Billy Bob.
All right, if you're watchingthis from Singapore or China,
you're probably going.
I don't know who Billy Bob is,that's okay.
None of us do either.
He's just this fictitiousperson who is always involved in
(31:12):
IT.
Okay, that is all I have.
As it relates to configurationmanagement, again, this is
domain 7, 7.3.
And this is configurationmanagement for the ISC squared
study guide.
Based on that.
And this is for getting yourCISSP certification.
Head on over toCISSPcybertrainingcom.
Again, head on over there.
(31:33):
I've had a lot of great success.
Now, it's not me, but peoplehave had a lot of great success
with my training programs and Ialso recommend you utilize other
resources out there becausepeople learn differently, but
they've been very successfulwith my program.
You can go out there and I havemy base level program.
It's offered to you at you paywhat you wish.
Okay, I will have a base thatI'm gonna, a baseline that I'm
(31:55):
gonna be setting, but right nowit's pay as you wish, and the
goal is is that all of the funds, everything that comes in
through cissp cyber training, isgoing into our non-profit to
help adoptive families.
I have four adopted children.
I have seven children total.
My children come from China andUganda, and I am an adamant
supporter of adoptions forpeople around the world and we
(32:18):
want to be a supporter of that,and I know it's extremely
expensive to do so, and sotherefore, we feel that any
funds that come out of CISSPCyber Training need to go
directly into helping adoptivefamilies.
Again, it's all for that.
So any purchase you make onCISSP Cyber Training goes 100%
to this foundation.
It does not come to me anylonger.
(32:40):
Basically, it comes right downto it is we realize that we've
been called to do something likethis, and so therefore, that's
where all the funds will go andtherefore that's what we're
going to do.
So if you have any questions atall, feel free to reach out to
me.
You can reach out to me atcissp cyber training contact at
cisspcybertrainingcom.
I'm happy to answer yourquestions if you have some, but
(33:00):
know full well that that thisprogram, the cisp cyber training
program if you put it to place,you put the blueprint in place
and you take the time that youneed to take three, four, six
months to do it you will passthe CISSP.
I really truly, if you followthe program and do what the
program says and you follow theletter and you focus on what it
(33:22):
says, you will pass the CISSPexam.
The problem is when people don'tpay attention and they start
feeling like they can shortcircuit the situation.
You may get lucky, but I willtell you that I failed it the
first time because of I thoughtI knew the content.
I did not know the content andI thought that by just taking
the studying enough questions, Ican pass the test and I can at
(33:43):
least get through it.
That will not work.
On the CISSP, you have to knowthe content to be able to pass
it through it.
That will not work on the CISSP, you have to know the content
to be able to pass it.
So go out to CISSP CyberTraining, check it out Again.
All proceeds at CISSP CyberTraining go to Nonprofit for
Adoptive Families.
Okay, have a wonderful,wonderful day and we will catch
you on the flip side, See ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge.
Speaker 2 (00:24):
All right, let's get started.
Hey all, sean Gerber, withCISSP Cyber Training and hope
you all are having a wonderfullyblessed day today.
Today is an amazing day.
We're going to be talking aboutsome awesome stuff as it
relates to the CISSP Domain 7.3.
So you know, we're marchingdown the CISSP training path and
trying to get.
The overall plan is to get youas much knowledge as you can to
(00:46):
help you pass the CISSP exam.
I keep getting tons of emailsfrom folks that have passed the
CISSP and they're very excitedabout that and they do enjoy the
podcast and the overalltraining.
So I guess that's a little bitof self-promotion.
But bottom line is I'm doingthis for two reasons.
One is so that you pass theCISSP exam because I failed at
(01:08):
it and we want to make sure thatit gives people an opportunity
that may not have some of theexpertise and knowledge to be
able to, or at least have maybenot all of the knowledge you
need to pass the CISSP, to giveyou that point, that thing that
you need to get you across thefinish line.
And the second thing is is wewant to promote the site and
offer up our services for a way,a price, that can then fund our
(01:30):
adoption for or not ouradoption our nonprofit for
adoptive families.
So the overall goal is I wantto use this money, that any
money that's gathered from theCISSP Cyber Training Plan is.
All of that money goes to fundthe non-profit that my wife and
I have set up for adoptivefamilies.
So, again, you got to give back, you got to provide stuff for
(01:53):
other people, because in realitythat's all what we're here for.
So, real quickly, before we getstarted in today's plan we're
going to get into an article Isaw on Computer World and it
talks about how many jobs areavailable in technology in the
United States.
Now, interesting part of thisI've had some individuals reach
out to me that have been laidoff in security not necessarily,
(02:14):
no, not security in the ITworld and they are trying to
pivot themselves into thesecurity space so that they are
better positioned for the eventof a potential downturn when it
comes to IT professionals.
Now, if you look at thisarticle from Computer World, it
talks about that there are rightnow, more than 7,500 new
workers in IT.
This just basically this pastmonth.
(02:37):
So that's a lot right.
So that's the month of June andindustry added about 7,500 new
US workers more than any monththis year, so it looks like it's
growing.
I would say that's probablygoing to be some pivoting, and
where that means is that asfolks move into new sectors of
the IT space, there's going tobe new jobs created, but I do
(03:08):
feel there will be jobs that aregoing to be destroyed or
repositioned, and so if you area person that's working in the
IT space and you want to havesome more experience, obviously
cybersecurity is a big factor.
If you have some of that andyou can gain some of that
knowledge, that would bevaluable.
But one thing I thought wasinteresting in this overall
article they talked about a lotmore certifications that are
happening and therefore there'salso some other key parts.
That I thought was interestingas it relates to college degrees
(03:31):
and when we're talking aboutoverall employment, you guys can
check it all out and look atthe different details around it.
But they said the greatestuptick has been in software
developers.
Obviously, I can see thathappening as we are becoming
more and more dependent upon thesoftware development space and
those individuals.
You can see that that will havea significant growth in that
(03:52):
area.
But one thing that I've seen itcoming by myself over the past
few years, including when I washiring individuals, is that we
removed this requirement ofhaving a four-year college
degree requirement.
So if you're a college person,you might be going.
Well, why am I getting mycollege degree?
I feel that if you have adegree in IT, that's valuable.
(04:13):
I think that still having adegree is in many cases, allows
you to check that box, to get inthe door for an opportunity.
However, I do believe, andstrongly believe, that this is
not a requirement.
Removing having a four-yearcollege degree is not a
requirement in IT.
It gives you some experience,some I would some say in some
(04:37):
knowledge base, but when itcomes to the overall making you
a better fit for a role within acompany the four-year degree
isn't necessarily what isrequired.
In my humble opinion and again,that's just my opinion After
teaching in college for a coupleof years and then hiring people
from colleges and now being acontractor working for other
(04:58):
companies, I don't see it as arequirement.
I do see it as a nice to haveNow CompTIA.
They had been the ones thathelped get some of the numbers
around this article and CompTIA,if you're not aware, is one of
the main certification companiesout there.
I've gotten many of mycertifications through CompTIA
as well.
But they talked about networksupport specialists, it support
(05:19):
specialists, system admins,network architects and data
administrators.
So all of those are thedifferent kinds of growth
opportunities they saw in themonth of June.
Bottom line is if you aregetting into cybersecurity, I
would highly recommend that youstrive to be into the
architecture space, and I'd alsostrive very strongly to
understand networking Afterdealing with employees.
(05:42):
That is not a well-known topic.
Networking isn't, and I willpoint to myself.
In some respects I understandnetworking, but I don't have the
same level of knowledge that Iprobably need to have related to
the networking environment.
So grow your knowledge in thatspace.
It can be extremely valuable,especially as people move and
migrate into the cloud.
(06:04):
Okay, so that was the mainthing I want to talk about.
This article as it relates tothe college degrees talk about.
Jobs are increasing in theUnited States in the IT space,
but they're becoming veryspecialized in databases.
I see more in cloud and thenalso in software development.
Those are some of the key partsthat came out of this article,
so let's go ahead and let's rollinto what we're going to talk
(06:24):
about today.
Okay, so this is under domain 7,7.3, and we're going to be
getting into performingconfiguration management.
Now, this is taken out of theCISSP's ISC squared book that
they have and that's theCertified Information Systems
Security Professional OfficialStudy Guide.
Now, this is based on the 2024book.
I will say that the fact isthat the 2021 and the 2024 have
(06:50):
not really changed much at all.
The content has not.
There's been a small subtleincreases, but mainly the only
increases have been around whatquestions they're asking.
So this content will be goodfor 2024 and it will help you
pass the test, no doubt.
Okay, so let's roll into 7.3.
So, as we're dealing withconfiguration management and now
(07:11):
this is gonna be a subjectwe're gonna go through a little
bit here that is covered inother areas of the CISSP, but
this kind of focused thissection in 7.3 specifically
around what is configurationmanagement.
Now we're going to get intoconfiguration changes, change
control and so forth, but whenyou're dealing with security
(07:32):
configurations, asset discoveryis a key concept to ensure you
have some level of protectionfor your enterprise networks,
and that means you must have theability to discover what assets
are on your network.
If you don't have a goodunderstanding of the assets that
are on your network, it'sreally hard to protect them.
I will say it's one of thebiggest challenges that a large
organization will have is aroundasset discovery, especially if
(07:56):
you allow your employees or youallow individuals within your
company to be able to installassets without a proper change
control process.
And what I mean that is that ifyou have an individual at a
remote location let's say I'm inWichita Kansas, let's go Tulsa,
oklahoma, and you have a smallshop in Tulsa, oklahoma, and
(08:17):
because of that, your ITprofessionals are in Wichita,
kansas, so they're two and ahalf hours away.
So what you've done is you sayyou know what I'm going to allow
you to have admin access to oneor two people there in Tulsa so
that they can install devicesdown in Tulsa.
For you, which is a logicalthought process and that would
be one that you would probablywant to drive towards is having
(08:39):
one, maybe two people with theability to do that, or have the
remote capability so thatsomeone can do the remote access
or the remote adding of thesedevices to your network.
But what will happen?
What you will see is, as thisone or two people down in Tulsa,
oklahoma decides they'reputting devices, well, then the
manager down there will come upto them and say, hey, bill, I
(09:01):
need you to add this to thisnetwork or I need you to add
that to the network.
Them and say, hey, bill, I needyou to add this to this network
or I need you to add that tothe network.
And next thing you know, billhas added 30 new devices to the
network in Tulsa and nobodyknows about it.
And so now you've got the onlypeople that know about it is
Bill, because maybe Bill'ssupervisor came to him, maybe
the plant manager came to him,maybe somebody else came to him.
Next thing you know, it wentfrom having one device to 30
(09:23):
devices and no one really has atrue understanding of what is in
the network.
And this is a really bad placeto be, because this is where now
you have all these devices thatare potentially vulnerable,
that, or could be vulnerable inthe future, are now open for
discovery by bad people as wellas good people.
So you need to have an assetdiscovery plan designed around
(09:46):
your environment, and it doesprovide the understanding of the
overall risks to yourenvironment.
It does help you understandwhat is going on.
It helps you basicallyunderstand how are the different
risks that are involved.
And if you understand thoseassets, like, say, for example,
you have all Windows 95 machines.
So some of you folks might belistening to this going what is
(10:06):
Windows 95?
It is something really old,really archaic and you would
think should never be run in anetwork.
But yet it does.
It is on networks, manynetworks.
It's also in many processcontrol environments.
So that is a big risk.
It does allow you the one thingwhen it comes to overall
understanding configurations.
It will also allow you to trackand correct all authorized
(10:28):
devices.
So it allows you to have theability to manage these devices
both remotely and, obviously, inperson.
And then also, whatconfiguration management does is
it allows you to discover anyunauthorized devices within your
environment.
So I say any, that's a verybroad term, I would.
And this kind of comes out ofthe book.
The goal is that if you have agood configuration management
(10:51):
plan, you will discover any andall unauthorized devices on your
network.
Yeah, that's kind of a littlebit of smoke and mirrors, I'm
sorry, you know someone mighttell me.
Well, that's not right Now.
The book answer would be anyand all devices.
That's what the purpose of itis.
I would say that that's wrong,though, because you're going to
struggle finding any and alldevices.
You will miss some, you justwill.
(11:13):
But the goal, though, is thatyou miss very few, and then the
ones that you do miss, youquickly remediate.
So now security configurationmanagement.
This comes out of NIST 800-128.
The discussion around why youhave to have it, and then we'll
get into some more detailsaround change control and so
(11:35):
forth, but securityconfiguration management again
NIST 800-128, it's asoftware-based.
They have varioussoftware-based security
configuration managementsolutions to help you reduce
this plan, or the attack surface, I should say, within your
network, and what these are isthere's like.
Sccm is a good example of that.
That's software configuration.
(11:56):
It's Microsoft's product, andwhat that does is it provides
you ability to deploy patchesand equipment to various
locations within your network,and SCCM is one example of that.
There are many others, and thiswas that one from Microsoft,
but there's other softwareconfiguration management tools
that are out there as well, andthey are designed to help you
(12:19):
manage the operating systems,the applications Applications,
is it depends but the networkdevices as well.
The main thing you really wantto understand, and when it comes
to configuration management, isyou break these down into the
physical device.
You have the operating systemthat the devices obviously have
as their operating system, theirhost, and then you want to have
(12:42):
the applications.
Those are really the three mainattack vectors.
Now, there's a little bit moreinvolved in that as well, but
the device itself, if it's a VMor if it's a physical device,
your application or youroperating system, and then your
application.
Now, if you can realisticallyand we're talking about risk if
you can control the risk to youroperating system, that's a win,
(13:06):
and if you can do thatautomated, that's even a bigger
win.
If you can control the updatesto your device right beyond the
firmware and so forth, if it's apackage, if it's a virtual
machine and you package it up,if you can control that, then
that's a win.
When it comes to theapplications, they get very,
very convoluted and they alsohave a lot of application sprawl
(13:30):
, which means people will addapplications which may or may
not be fully supported, andthese SCM solutions are designed
to help you update theseapplications.
But the problem with that isthat they don't always update
well.
They do tend to break things.
And I would say, if you'regoing to focus on from a real
world perspective.
If you can get two out of thethree, that's a win.
(13:52):
That's a huge win versus whathappens in so many cases is
people feel they have to eat theelephant and they can't eat it
because it's so big, and I hadto break this down with us.
So if we can get the operatingsystems patched, awesome.
If we can get the devicespatched and updated, awesome.
And we can do this on a routine, automated basis, incredible.
(14:13):
If I can't get the application,well, let me get what
applications I can get and thenfocus on that, because the
applications will be huge and Iknow I've spent a little bit of
time on that, but I'm justtrying to focus and have you
guys understand.
The applications are one of thehardest things for you to update
and patch because there's justso many moving parts related to
it.
Now, when it comes torequirements, there are
regulatory requirements thatforce you to do this, that force
you to have a securityconfiguration so many moving
(14:33):
parts related to it.
Now, when it comes torequirements, there are
regulatory requirements thatforce you to do this, that force
you to have a securityconfiguration management plan.
That's PCI DSS, which isobviously your payment card
industry.
Then that's the data securitystandard.
They have Sarbanes-Oxley,that's your SOX, and then
they're also the MonetaryAuthority of Singapore, mas
that's another one as well.
(14:53):
Many of them will require youto have some level of security
configuration management.
Iso 27001 will actually havethat as well.
So they're just stating thatthey want you to have this
defined plan.
You use some software and youhave a plan to do so, versus
just kind of winging it.
Security configurations consistof four specific steps Now when
(15:15):
you're dealing with.
Step one is the asset discovery.
Step two is defining anacceptable security
configuration as a baseline foreach device type.
Step three is to ensure thesecurity baselines meet your
internal security policies.
Obviously, you want them tomeet what you have already in
place, or maybe make a change toyour internal security policy
and then manage devices based ona predefined frequency, based
(15:38):
on the specific policy itself.
So again, you want to updatethese once every quarter, once a
month, once every six months,once a year.
You have to have that definedbased on the policy you have.
If you have a policy that sayswe will update our devices once
(16:00):
a year, then you have yourproduct that is set up to do
that specifically as well.
Now, one other thing you need tothink about as you're relating
to configuration management isobviously your operating system
and your application support.
I kind of hinted at this alittle bit earlier is if you
have good support for yourapplications and your
application owners can get youthose updates and those patches,
this works well.
Again, where it runs intoproblems is because if you look
at a large enterprise, just tosay a very big company, you have
(16:23):
hundreds upon hundreds ofapplications, so updating them
can be extremely painful.
But if you have good ownershipof who owns those applications
and they can get updates fromthe vendors that have created
those apps, then it can go okay.
And I'm saying okay because itdoes not go well, let's just be
(16:44):
honest.
But at least if you have goodplans and good processes around
these applications, you can doit.
Os is different, right, becauseyou can control what operating
systems are put in your network.
If you don't control theoperating systems well, then you
have another, bigger problem.
So again, understandingoperating systems and the
(17:05):
devices that run them is anextremely important factor.
Policy flexibility is a key andsometimes we can become too
draconian to set in our ways asit relates to the policy,
stating I must patch every month, okay, well, maybe you need to
have a risk-based approach tothat.
Maybe that is something youneed to look at when it comes to
(17:26):
patching.
Do all my patches have to gothrough a manual change control
process?
Okay, is that flexible?
No, but some companies willrequire that and that's fine.
It's just knowing full wellthat that will add a lot of
bureaucracy to your company.
By adding all this bureaucracy,it will add time.
(17:47):
It will also add the abilityfor mistakes to occur.
I'm not saying you have to justgo and hit everything on
auto-update.
That could be very bad as well,very problematic.
So you need to have a goodunderstanding of your policy and
what you're trying toaccomplish.
Can you scale it?
Again, we talk about theWichita main campus and then you
have the Tulsa remote office.
(18:08):
Can you scale that to theremote offices?
Can your remote offices be inChina, malaysia, singapore?
How does that work when yousend up updates?
What does the networkconfiguration look like to be
able to do that?
So, again, scalability is animportant factor.
And then closing the operationalloop understanding.
How do you operate this andmake this happen from an
(18:29):
operational standpoint.
Again, these are notconfiguration management from a
book's answer is very simple.
It's just hey, you update thestuff, you have a good policy in
place, you update it routinely.
Hey, you're good to go, andthat can happen.
But it's from a greenfieldapproach.
When we say greenfield, itmeans bare bones, starting up
(18:51):
from ground zero.
From a greenfield approach,that could go well, but when
you're talking, you get droppedin the middle of a network
that's been around for 10, 15,20 years.
It's a lot harder and if theydidn't have a good change
management process in place, itcan be very challenging.
And I would say, if thathappens to you, plan on a
multi-year plan to get yourselfin a good position.
(19:12):
Do not I repeat, do not try todo this within a year if you're
in a large organization, becauseit won't happen.
Have a multi-year plan to makethis and get the processes in
place, the people to understandwhat they're doing and then get
the overall buy-in fromeverybody to make that happen.
Now, when we're dealing withanother part of configuration
(19:32):
management, we're going to getinto some key activities around
some aspects of this.
So you need to haveconfiguration identification.
This will establish baselines,like I talked about earlier,
about the product structure,function and the overall
attributes of it.
So, having some level todocument this via a spreadsheet,
whatever it might be, but youhave to have the ability to
(19:56):
document the initial hardwareand the software configuration
on that server.
It may be something as simpleas a spreadsheet.
It could be something morecomplex as a air quotes another
application that you have tomanage but you need to have some
way of identifying the overalldevices within your environment.
Configuration control is anotherfactor.
You need something that managesthe changes to maintain system
(20:19):
stability and minimize theoverall disruption.
Change control can be very,very disruptive and you need to
have those changes set up inplace to be able to do that.
Also, an example is like you'reapproving and implementing
security patches for anapplication.
There has to be an approvalprocess in place to do that.
My old company we used to havea very complicated approval
(20:41):
process that would approvemonthly patches.
We moved away from that to anautomated plan.
As it relates to Microsoft,anything that was
Microsoft-related was allautomated.
Why is that the case?
Well, because in many cases,their updates and their
management of their patches isbetter than what we were doing,
(21:01):
so why not do automate that?
From a Microsoft standpoint,there is a risk that you could
have an outage.
There's a risk that you canbreak things, but overall, the
amount of time that was spentand the risk that we received
from having delays in gettingour security implemented was a
huge factor, and so, therefore,we automated that process as
much as possible.
(21:22):
Configuration status accounting.
What this basically means ishow do you have a way to track
and report on your configurationitems?
Do you have a dashboard?
Are you managing that with yourpeople?
Do your senior leaders see thisdashboard and understand what
needs to be done, and this ishelpful because if you need some
level of horsepower, needs asenior leader to help you get
(21:46):
things moving, they will helpyou in that space.
So this is where the statusaccounting is an important
factor.
Configuration, verification andaudit.
This will ensure the compliance.
Accounting is an importantfactor.
Configuration, verification andaudit.
This will ensure the compliancewith the established baselines.
And then you regularly audituser access permissions against
the defined security policies.
Again, do you have a baseline?
Do you have policies in place?
Are you following your policies?
(22:08):
If you're not following yourpolicies, then one, change your
baseline to meet your policies,if that's truly what you need,
or modify your policies so thatit fits your baselines.
It's one or the other.
Just don't leave yourself in asituation where, well, the
policy isn't right, so we'rejust going to keep pressing
forward.
Policies are hard becausethey're documenting and it's
paperwork.
People don't like to do it, sothey just kind of do stuff.
(22:30):
You have to slow down in manycases to speed up, and this is
an area that you need toconsider.
Another part of changemanagement is understanding or a
configuration management ischange management.
Now, this is where you'rerolling out changes.
This would be around to theoverall goals then, to minimize
the level of disruption thatyour company may have, and this
(22:52):
is this.
Changes can be very disrupted,so it's important that you have
a really good plan in place tomaintain your changes.
If you are dropped in, you'reairdropped into a new
organization and you for.
One of the first things you needto understand is the change
control process, the changemanagement process that they
have in place.
This may be a change controlboard.
(23:14):
It could be along withemergency change advisory boards
.
They have a process.
It could be one person that isthe change control person.
It could be a group of peoplethat are doing that.
But you need to trulyunderstand if I want to
implement changes within myenvironment, how do I do that If
you don't have this within yournetwork that you work at, or
(23:35):
that, if you don't have thiswithin your network that you
work at or your business thatyou work at, you need to try to
implement something like it.
Depending on the size of yourcompany, it may be a very small
process, maybe once a month wedo this and you have the IT
director and you have maybe acouple of people from each areas
and we go, hey, we're going tobe deploying these changes.
We need to communicate withpeople what's happening and that
(23:57):
way they know what's going on.
It could be a very simpleprocess.
It could be very complex andlaborious.
I work at a company right nowthat is very complex and
laborious, but that's okay,that's what they do, that's what
works for them and that's fine.
They have figured out based onwhat they need, to make sure
that the change control processmeets their specific needs and
(24:19):
their regulatory requirements.
So, again, you just have todetermine what is going to be
best for your organization.
But this board, this changecontrol board they will
authorize changes, maintain thedocumentation and they will
ensure that it's done in aproper way.
They will review and approveany major software upgrades and
changes to your organization andthat's where this board is for.
(24:41):
You have your emergency changeadvisory board and this can come
by different names, likethere's an emergency change
board, emergency change advisoryboard.
You can name it any differentway you want to, but is there a
group of people that will handleany urgent changes that need to
occur and your organization mayneed those.
If something happens and youhave a patch that occurred and
you have to roll back a patch,they may go to the emergency
(25:05):
change board to go.
We got to roll this back nowbecause things are broken.
So they'll handle all urgentchanges that occur.
They approve from emergencypatches to fix a critical
vulnerability to making rollingback potential changes that may
happen within your organization.
So it just depends on whatyou're trying to accomplish
there.
But you will see it, especiallyif a security event or incident
(25:26):
would occur.
This emergency change managementplan you need to have that
developed and then changerequest process.
How do you initiate a changewithin your organization?
What is the process to do that?
Is it an email that you send abill?
Is it a ticketing system thatyou may have within ServiceNow
or another type of ticketingsystem that's there?
It could be a spreadsheet andyou put it in the spreadsheet.
(25:49):
But you need to have some sortof change request process.
Automating.
It is the best way you can dothis because it can get very
complex and very convoluted.
I would also define what isneeding a change.
One situation I've seen is acompany will require any change
that is ongoing, likeoperational type changes.
(26:11):
So say I need to tweaksomething and if I tweak it, I
need to put in a change request.
I've also seen it where in thesituation of company will go and
say if your change is going toaffect any person you know
impact the individual user, itmust go through the change board
.
Any person you know impact theindividual user, it must go
through the change board.
If it's not, if it's going tobe just a change to a
(26:32):
configuration on a file, anapplication, then you can do
whatever you need to do.
That does not need to gothrough a change board.
But if it's going to have adirect impact on an individual,
then you would need to gothrough a change board or at
least have a communication toyour CIO, cto, one of those
letting them know what isactually occurring.
Again, it comes down toempowerment of your people.
(26:53):
You have to decide how muchempowerment do you want to give
to your people?
Do you want it to all be withinthe change control process or
do you want to empower them tomake changes in your network?
It comes down to people, timeand resources.
How much do you have to be ableto manage all of this yourself?
So you need to consider havinga change control or change
(27:13):
request process in place.
Last thing around changemanagement you need to
understand the communicationpiece of this.
This is determining how thechanges are communicated to your
people to your people.
Now.
This can be done in a coupledifferent ways.
It can be sent through a poston SharePoint.
It could be sent through email.
It could be in a DM that's sentto all your individuals.
(27:35):
You need to determine how arethese changes communicated and
who are they communicated to.
One thing I did forget tomention when you're dealing with
changes, you may want toconsider a canary group, and
what I mean by that is that isthere a group of people that can
test your change prior to itbeing rolled out to the overall
populace, so that they may beindividuals or a bunch of IT
(27:58):
savvy folks that are willing toaccept a change on their
computers prior to it beingrolled out, and the purpose is
that if there's anything blowsup, it blows up on a small
subset of people versus everyone, so you may want to consider
having a canary group or a testgroup within your organization
before you roll out massivechanges to your company.
Sorry, I just thought of thatNow.
(28:19):
The other thing aroundcommunication, though, is that
you need to determine how it'scommunicated, and then how are
you going to notify the users onany upcoming system maintenance
that may be occurring?
Again, it can be as simple assending out emails, but in most
cases, if you're going to bedoing something that's broad
brush to the organizationespecially if it's extremely
disruptive you may use multiplecommunication channels.
(28:40):
You may use email along withposting on a SharePoint or
internal website of what'sactually going to be happening
with the change, and you alsomay tell your service desk or
your client support peoplewhoever's taking phone calls for
service requests that a changeis occurring, because one people
will call in and they didn'tget the memo, they didn't see it
(29:03):
on the website, they didn't payattention.
You're just going to have tothink about multiple ways for
this change control process tobe articulated and sent to
individuals within your company.
Now, as it relates to training,you need to develop a training
plan for configuration andchange management, and it's
important that you have this inplace one to train new people
that are coming on how thechange management process works
(29:26):
as well as any, and thatincludes employees as well as IT
professionals as well.
It's especially easy or helpfulwhen you're dealing with
helping your IT staff.
I will tell you that I've runinto more situations than I can
count of being dropped into anorganization and then trying to
figure out the change managementprocess, just to find out that
(29:47):
I've wasted a bunch of time notdoing the process the way it
should have been done or justdoing a process that really was
not required.
So having a way to train yourIT staff on the change control
process can be extremelyvaluable.
It will help you with reducingany waste you may have within
your company, but again, youmust have some level of training
(30:07):
any waste you may have withinyour company, but again, you
must have some level of training.
So, if you're paying attentionto the CISSP cyber training the
goal of this is to one.
I'm giving you the details youneed to help you pass the CISSP,
but also giving you thatreal-world experience as you go
into working at a new company,some things for you to keep in
mind.
It's the hacks of the ITcybersecurity world.
(30:29):
So, again, training is animportant factor because if you
can have it and this trainingcan be very, very simple Do not
overcomplicate it.
I've done that myself and I'veseen it done.
Time and time again, peoplewill overcomplicate the training
piece of this.
It could be as simple as this.
Is what you do you submit theticket to this to XYZ and then
(30:50):
you let Billy Bob know.
It could be that simple, right?
But just know that Billy Bobwill leave the company at some
point, so you've got to haveplans to deal with the loss of
Billy Bob.
All right, if you're watchingthis from Singapore or China,
you're probably going.
I don't know who Billy Bob is,that's okay.
None of us do either.
He's just this fictitiousperson who is always involved in
(31:12):
IT.
Okay, that is all I have.
As it relates to configurationmanagement, again, this is
domain 7, 7.3.
And this is configurationmanagement for the ISC squared
study guide.
Based on that.
And this is for getting yourCISSP certification.
Head on over toCISSPcybertrainingcom.
Again, head on over there.
(31:33):
I've had a lot of great success.
Now, it's not me, but peoplehave had a lot of great success
with my training programs and Ialso recommend you utilize other
resources out there becausepeople learn differently, but
they've been very successfulwith my program.
You can go out there and I havemy base level program.
It's offered to you at you paywhat you wish.
Okay, I will have a base thatI'm gonna, a baseline that I'm
(31:55):
gonna be setting, but right nowit's pay as you wish, and the
goal is is that all of the funds, everything that comes in
through cissp cyber training, isgoing into our non-profit to
help adoptive families.
I have four adopted children.
I have seven children total.
My children come from China andUganda, and I am an adamant
supporter of adoptions forpeople around the world and we
(32:18):
want to be a supporter of that,and I know it's extremely
expensive to do so, and sotherefore, we feel that any
funds that come out of CISSPCyber Training need to go
directly into helping adoptivefamilies.
Again, it's all for that.
So any purchase you make onCISSP Cyber Training goes 100%
to this foundation.
It does not come to me anylonger.
(32:40):
Basically, it comes right downto it is we realize that we've
been called to do something likethis, and so therefore, that's
where all the funds will go andtherefore that's what we're
going to do.
So if you have any questions atall, feel free to reach out to
me.
You can reach out to me atcissp cyber training contact at
cisspcybertrainingcom.
I'm happy to answer yourquestions if you have some, but
(33:00):
know full well that that thisprogram, the cisp cyber training
program if you put it to place,you put the blueprint in place
and you take the time that youneed to take three, four, six
months to do it you will passthe CISSP.
I really truly, if you followthe program and do what the
program says and you follow theletter and you focus on what it
(33:22):
says, you will pass the CISSPexam.
The problem is when people don'tpay attention and they start
feeling like they can shortcircuit the situation.
You may get lucky, but I willtell you that I failed it the
first time because of I thoughtI knew the content.
I did not know the content andI thought that by just taking
the studying enough questions, Ican pass the test and I can at
(33:43):
least get through it.
That will not work.
On the CISSP, you have to knowthe content to be able to pass
it through it.
That will not work on the CISSP, you have to know the content
to be able to pass it.
So go out to CISSP CyberTraining, check it out Again.
All proceeds at CISSP CyberTraining go to Nonprofit for
Adoptive Families.
Okay, have a wonderful,wonderful day and we will catch
you on the flip side, See ya.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!