September 29, 2025 • 42 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
Security governance represents one of the most misunderstood yet critical components of any cybersecurity program. As we explore Domain 1.3 of the CISSP exam, we unpack how proper governance creates accountability and structure that protects both your organization and your career.
We begin with a startling real-world example: the "Red November" campaign, where Chinese state-sponsored hackers exploited vulnerable internet-facing appliances and VPNs across defense, aerospace, and government sectors for a full year. This sophisticated operation highlights why casual approaches to security governance leave organizations exposed to devastating attacks.
Security governance isn't merely a theoretical concept – it's a practical framework that defines who's responsible for what across your security landscape. We break down the crucial roles every organization must establish: from Senior Managers who hold ultimate responsibility, to Data Owners who classify information, to Data Custodians who implement protections, and the often-overlooked role of Auditors who verify everything works as intended. Understanding these distinctions protects security professionals from becoming scapegoats when incidents occur.
The real value emerges when we examine how security control frameworks like NIST CSF, ISO 27001, and CRI provide structured approaches to managing risk. These aren't one-size-fits-all solutions, but rather customizable blueprints that help you systematically identify, implement, and monitor security measures appropriate to your specific needs. Framework mapping allows you to align multiple requirements efficiently, making compliance less burdensome and more effective.
Finally, we demystify the concepts of due care and due diligence – the practical actions that demonstrate you've taken reasonable steps to protect your organization. These aren't just legal defenses; they're the fundamental building blocks of a mature security program that aligns with business objectives while meaningfully reducing risk.
Whether you're preparing for the CISSP exam or building a more robust security program, this episode provides the practical knowledge you need to implement effective security governance that executives will support and auditors will approve.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber, andI'm your host for this
action-packed informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
All right, let's get started.
SPEAKER_01 (00:25):
Good morning, everybody.
It's Sean Gerber with CISSPCyber Trading and hope you all
are having a beautifully blessedday today.
Today is what?
Yeah, CISSP Monday.
So we go over different docdifferent types of training on
CISSP Monday.
And we are going to be goingover domain 1.3, evaluating and
applying security governanceprinciples.
(00:48):
Yes, security governance.
Some people don't like it, somepeople don't do it.
But guess what?
You should pay attention to it.
And if you're taking the CISSP,you're going to expect to be
now, you're going to have toknow it.
Yeah, just going to have to knowsomething about it.
So this is a goal to talk aboutdomain 1.3.
And as you know, if you've beenlistening to the CISSP podcast,
Cyber Training Podcast for anyperiod of time, we go over this
(01:11):
on Mondays, and then we tend togo over questions on Thursdays.
And that's just kind of somedeep dive kind of questions
around the domain that we'recurrently talking about.
But before we do, I wanted toget into an article that I saw
that just hit the news this latelast week.
So in this article, this is thehunt for Red November.
This is kind of a spin off ofthe movie Red October.
But the ultimate thing is thatthat's they labeled this uh
(01:33):
attack method as the RedNovember.
And the Chinese government hasbasically hacked different types
of organizations uh through thepast year from June of 25 to
July, I should say June of 24 toJuly of 25.
Uh they're basically going afterany internet-facing appliances
that are set deployed on aGo-based backdoor called
(01:53):
Pentagena.
And then they're using otheroffensive type of tools such as
Cobalt Strike and Spark Rat.
So these are all being used bythe Chinese government to gain
access to these systems.
Now they've been focusedprimarily on uh the, like I
said, internet-facing appliancesand VPNs.
Um, you know how much I loveVPNs.
If you've listened to thispodcast for any period of time,
(02:15):
you know that I have a specialaffinity for VPNs.
I love them.
They're the best.
If you're a hacker, um, yeah,they're they're great.
I love VPNs.
Uh the the point of it is is youyou want to try to get off VPNs
as much as you possibly can,unless you absolutely have to.
But they've been focused onaerospace and defense, uh,
government bodies, andprofessional services for all of
their attacking needs.
(02:36):
Now, as they're doing this, theyfocused on the industrial base
and and uh they're they'retrying to gain a more of a
foothold within obviously all ofthese different types of
entities to include U.S.
critical infrastructure.
The ultimate goal, like I Imean, we don't know because I'm
not uh part of the Chinesegovernment inside their their
hacking division.
But if I was them, what I wouldwant to do is get access to all
(02:57):
the U.S.
critical infrastructure,actually global critical
infrastructure, and have atoehold in all of it.
Uh the ultimate point is that ifanything, the balloon goes up
and there becomes a shooting warbetween countries, they are in
control.
They flip switches and things godark.
Once that happens, it causeschaos and pandemonium.
And, you know, if you're goingto uh attack an attacker or
(03:19):
going to attack someone, youwant to make their life painful.
And if you can sow concern, youcan sow discord and make
confusion occur with thesefolks, then what ends up
happening is you have an upperhand as it relates to dealing
with the the war or whateveryou're gonna be doing at hand.
So it's a smart call if they'regoing to be doing, I don't agree
with it, because I would beprobably on the receiving end of
(03:42):
that, but it's a good call.
Um there's different types oforganizations that have been hit
with this.
Um they're they're talk, they'rebasically talking about also um
that they focused on thePanamanian government.
There was an interesting uh partof this, is like why would they
deal with Panama?
Well, back in that period oftime, the U.S.
government was focused onPanama.
I they probably still are, butthey just hasn't hit the news as
(04:04):
of late.
And the U.S.
government uses the Panama Canaluh to get their military
aircraft military ships from theAtlantic to the Pacific.
And also a lot of global tradegoes through the Panama Canal.
If you close up the PanamaCanal, well then everybody has
to go around the uh south tip ofSouth America, and that makes it
extremely uh challenging, uh,both from a shipping standpoint
(04:27):
because it's very, veryprecarious from an ocean
standpoint, but it also makes itvery long and painful.
So they nobody wants to lose thePanama Canal.
However, that being said, theChinese government has been
actively involved in the Panama,Panamonian government and wants
to have some level of influencedown there.
So there's a lot of subterfugethat's going on as it relates to
(04:48):
all of this.
But the ultimate goal, though,is that they've tried to get
access.
Now they don't think that the uhChinese government was able to
get access to any of thesesystems.
Um, that being said, there thisis one campaign of many, and
they're always trying to dosomething.
So if you have a VPN, then youshould just open it up and let
them in.
No, I'm joking, you don't wantto do that.
But if you have a VPN, youbetter make sure it's tight.
(05:10):
You better tie that booger downbecause uh they are a great tool
for some bad actors to getaccess to your network, and you
will never even know they're inyour network.
Now, how they got access to thisis through a Cisco firewall
vulnerabilities that were outthere.
And this is CVE 25, it's two20,033 and 20,362.
(05:31):
And it does allow for read-onlyand memory modifications, which
did provide them the persistent,long-term persistent um access
to these systems.
So, again, you can modify theread-only memory.
If you can do that, every timeyou reboot the system, what ends
up happening is your Trojan,whatever you have for your
software that's running on thereto be able to guide gain you
(05:51):
access, is able to be redone.
So therefore, you always have apersistent access to these
systems.
The act the ability to mapmodify read-only memory is a big
deal.
So if there that obviously theyfixed that CVE or that issue.
If you do have any sort of Ciscofirewalls, you'd want to make
sure that that patch has beenapplied because uh you don't
(06:12):
want to allow anybody to haveany sort of read-only access to
your system.
Okay, so that is what I wantedto talk about today.
Again, this is the uh hunt forRed November, and the Chinese
government hacked critical orgsfor a year-long snooping
campaign.
You can go check it out at theregister.
Okay, let's get started aboutwhat we're gonna talk about
today.
Before we get started, I want todo a quick shout out for CISSP
(06:35):
Cyber Training.
Head on over to CISSP CyberTraining and check out all the
great stuff we have out therefor you.
We have free content.
I have gobs of questions outthere.
I have free CISSP rapid review.
I have all of those things thatare out there specifically for
you to help you study for theCISSP exam.
And it's all free.
There's a big chunk of it thatis free.
(06:55):
All I need is your emailaddress.
That's it.
That's all we ask of it forCISSP Cyber Training to gain
access to them, all of my freecontent.
And you get that everywhere.
But it's, I mean it.
It's really good stuff.
I give some of my friends keeptelling me, you give out a lot.
And I'm like, yeah, I give out alot because I want you guys to
pass the CISSP.
However, if you are want somemore stuff, such as these videos
(07:16):
that we're doing we do, or theaudio trainings that we do and
the videos that we do, all ofthat stuff is packaged together
and curated for you step by stepto include my development of a
new 10-day boot camp as well asa five, three, four, and five
day or three, four, and fivemonth uh plan for you to be able
to study the CISP.
(07:37):
Depending on your needs andwhere you're at.
I've got the boot camp that canbe done in 10 days.
I also have a longer programthat's available to you as well.
All of that is in the paidcontent, but again, it's not
that expensive in reality of youpassing the CISP and the amount
of money you can make gettingthe CISSP.
It is small potatoes.
I mean it really is smallpotatoes, not much there.
(07:57):
But again, go check it out atCISSP Cyber Training.
Okay, let's get started.
Domain 1.3, evaluate and applysecurity governance principles.
Okay, so security governanceprinciples, these are key
concepts that we're gonna getinto around the security
governance.
And I will tell you, when Ifirst started uh looking at
governance, it confused me.
(08:17):
I didn't quite get it.
I didn't understand it.
And and in reality, working inthe manufacturing space, I I
understood it and I knew theneed for it, but there was no
requirement that I needed to doit.
And so, therefore, me to get theto have me help get CEO and the
CIO on board, it took a lot ofinfluence to make them do this
(08:38):
because they didn't see thevalue.
There was no, I mean, the riskis there, you've got plans in
place.
Where's the value in this?
Now, as we grew the securitygovernance program of my
company, they they saw the valueimmediately.
However, they it took a longtime to get them moving.
That being said, is that now,depending upon where you work,
you may have a strong set ofgovernance and compliance
(09:01):
requirements that you have to doto make it because of a
regulatory uh bodies that willsay that you have to do this.
So it's an imperative thing.
It really truly is, and we'regonna go into details around
that, but I highly recommendthat you don't blow off security
governance for two reasons.
One, it's on the CISP exam.
Ha ha, so don't do that.
And two is it's gonna be veryhelpful for you if you get it in
(09:23):
place, you deploy it well, andyou manage it correctly, it will
go a long way for you.
So here's the definition ofsecurity governance.
It's a set of responsibilitiesand practices exercised by the
board and executive managementwith the goal of providing
strategic direction, ensuringthat the objectives are
achieved, and ascertaining therisks are managed appropriately
(09:44):
and verifying, that's a lot ofhands, and verifying the
enterprise's resources are usedresponsibly.
Okay, so that's a big run-onsentence.
That's a paragraph with lots ofbig$10 words in it, and you're
going, okay, that's yawn, that'sa lot of stuff.
Yeah, it is, it truly is.
But the ultimate thing is tokind of break out of this is one
executive management goals,objectives, right?
And that is to ultimately getwhere you where you want to go.
(10:06):
So again, if you have goals andyou have objectives and you help
an executive managementunderstand what those are, that
is a win.
Why is that?
Well, at the end of the day,they support you.
And if you can tell them whatyou need and you can uh make
that happen, that is a winningthing.
One, it helps make your companysecure.
Yay! Two, it also will help youmake more money.
(10:27):
Yay.
So you want to be able to dothese things to ultimately help
the company, but at the sametime, financially, it can do a
lot of benefit for you as well.
Now, security governanceprinciples, they're a group of
security practices that definethe security of an organization.
We kind of talked about thatalready just a little bit.
They're integrated or imposed,yet they can be imposed in
(10:49):
various forms or purposes bydifferent needs andor
requirements.
Obviously, we talked aboutregulatory and compliance pieces
of this.
Are you tied into CMMC?
That's the defense industrialbase here in the United States.
Yes, you must follow, have agood governance program in
place.
Are you in the financial sector?
Yes, you need to have a verystrong uh regulatory or I should
say uh compliance slashgovernance plan in place.
(11:12):
If you're in the industrialstandards, you're getting more
and more of that with ISO 27,001and there are many others,
right?
That it's coming.
Whether you like it or not,regulations on cybersecurity are
coming.
They have been prettyloosey-goosey for the past 10
years.
Um, but as it's becoming moreand more apparent that cyber is
uh is here to stay and can causeall kinds of chaos and
(11:35):
pandemonium, i.e.
airplanes and uh getting shutdown at airports and all that
kind of fun stuff, yes, that isgoing to be a bigger factor.
Compliance is going to come intoplay.
So if you're not considering itnow, you should.
If you're a cybersecurityprofessional, when you get to an
organization and they're notdoing compliance or governance,
you need to really think hardabout how to help them
(11:56):
understand the need for itbecause it's coming.
And if you don't plan for it, itwill probably get catch you flat
footed and you will have to thenbe start running where you're
going.
So flat-footed basically meansyou're not jogging, you're
sitting there still, and thenall of a sudden you're like, oh,
I gotta go.
So then you start running.
But it's better to be runningand then and in that process,
even if it's a light jog, uh,than it is to be standing still.
(12:18):
So there's audit and assessmentsof these different governance
principles can occur.
This can be done internally orexternally, depending upon one,
the need of the requirement.
You may have uh entities thatrequire you to have an auditor
assessment done.
Uh, or you may have to pay foryou may not have the money for
it, you may have to figure thatout too.
So there's all kinds of issuesthere.
(12:38):
Or it can be done internally.
You may have an internal auditsuh group that will do this for
you.
I have been on plenty of thesewhere the audit team does not
really understand cyber, so theywill bring with a with them a
and basically an analyst of somekind to help them during the
assessment.
Uh, they work also very closelywith your CISO to understand
what are some of the things theyneed to be aware of.
(12:59):
So I've done autos with bigcompanies, ENYs, all these
different types of companies,and they've they come with a
pretty strong subset of peoplethat do get it.
However, that being said, I'vehad to do a lot of hand holding
with them as I walk through whatI have in place.
So depending on the size of theorganization, this also can be
limited or can be very complex.
Big organizations can be verycomplex.
(13:20):
If it's a small organization, itcan be limited and much easier
to do.
That being said, that doesn'tmean you should just kind of
blow it off.
Don't do that.
It's an important part.
It really truly is.
I was not always a big fan ofaudits and assessments.
I thought they were justpaperwork-driven messes and you
just had to do check the box.
I'm like, oh my gosh, this isjust painful.
It just takes time and it costsme money.
(13:41):
Correct, it does.
It takes time and it does costyou money.
However, uh, if you do it rightand you do it right the first
time, you don't have to be youdon't have to do it right a lot.
That's not the right word tosay.
You always have to keep doing itright.
You just don't have to do asmuch.
You just have to tap the gas alittle bit.
So if you set the program upreally well, and then once it's
(14:01):
going, you just tap the gasevery so often.
Basically, what I mean is makemodifications, change anything
that's just changed, then itisn't nearly as terrible.
I mean, it just isn't.
But the getting started takestime, and you better plan
yourself that this is if youdon't have it and you're a good
size organization, this is amulti-year type of journey.
So you can follow the differentframeworks that are out there.
(14:23):
There's 853, 800-100.
These are all from the NationalInstitute of Technologies or
from ISO.
The 27,001 folks will havesomething as well.
There's lots of differentprograms out there.
Um working with Next Peak and mycompany, we have been able to uh
work with a lot of financialinstitutions, and there is a
product out there called CRI,which is your Cyber Risk
(14:43):
Institute, and they have areally good governance layout on
what you should have for yourgovernance program.
If you can follow CRI, you arein business, man.
You've got a lot of good stuffin place.
Uh, even if you and I wouldhighly recommend that you go
look at it, even if you don'thave a say maybe you're using
cybersecurity framework forsomething like that, the CSF.
(15:04):
I that's fine, and I thinkthat's great, but I would go
look at CRI because from whatfinancial institutions are
using, if you can fill out thatinformation for that, uh, it
will go a long way in helpingyour overall program.
The downside of it is as youlook at it, it can be a bit
overwhelming, and you may go,well, I can't do this.
And you're probably right, youcan't do this right away.
However, I would recommend youdo look at it and start planning
(15:27):
out maybe picking out of there,cherry picking, picking small
things that you feel you coulduse within your company and then
implement those as well.
So just something to consider atCRI Cyber Risk Institute's uh
framework for financialinstitutions.
The other thing is businessintegration.
It's not just an IT issue toresolve.
(15:47):
A lot of times this will comedown as your CEO goes, IT, you
guys fix it.
Just go fix it, make it happen.
And that's a wrong attitude tohave.
If you I'll be honest, if yourCEO takes that kind of approach
to cyber or your s or your COOor someone along those lines,
they just go, hey, IT, I wantyou to fix it.
I'm gonna be very transparent.
I would highly recommend thatyou do a great job for them, do
(16:07):
your best job for them, but lookfor a new job.
Uh the reason I say that isbecause unless somebody in
senior leadership, and thatmeans the CIO on up, and if it's
no, if it's lower than the CIO,I wouldn't even mess with it.
Uh, but your CISO, obviously,but your CIO and on up, if they
don't take cyber seriously, um,you need to look for a new
organization.
The reason I say that is becauseat some point they're gonna get
(16:29):
pwned and you're not gonna wantto be part of that dumpster
fire.
So you want to make sure thatyou are in an organization that
takes it seriously and theydon't just give it lip service,
which means they don't just talkabout it, they actually do
something with it.
Uh, that I'm just being verytransparent from a mentoring
standpoint.
I would do that.
Just think about it.
So it's not just an IT issue toresolve, and it's integrated at
(16:50):
all levels of the organization.
Governance needs to be.
Now, the if their leadershipsays, yeah, yeah, yeah, I'm I'm
on board, and they don't, well,that's your CISO's job, or if
that's your job, if you're theCISO, to help get them educated
and help them be part of thisgovernance program.
Uh, it can be managed by a groupor a committee, and I'd highly
recommend this.
Uh, they my the group of thecommittee that was managing it
(17:11):
for my organization was a moi,me, and that was not what I
wanted.
So I ended up having to bring incompliance.
I brought in HR, I brought inthe CIO, uh, many different
people that were helpful in thisgovernance process.
And this can report the findingsto the board of directors.
I highly recommend that youreport your findings to the
board.
They need to be involved inunderstanding what is actually
(17:31):
going on as it relates to cyber.
If your board is not part of theoverall cyber kill chain, it's
not really a kill chain, butinformation chain, then you may
want to start that process andwhat does that look like to be
able to get this information tothe board?
I mean, at the end of the day,the board's gonna be responsible
for this, so I would think theywould want to know.
It took me a long time, crazy asit sounds, to get in front of my
(17:53):
board of directors about ourcyber stuff.
Uh my CIO, very nice man, butwas a little hesitant on doing
that.
And I still to this day don'tquite understand why.
I think a lot of it comes downto is that it was so new and he
didn't want to baffle them withBS, which was basically confused
the fact that they didn'tunderstand it and he didn't
really want to even try toaddress it.
(18:14):
So I would highly recommend yourCISO is involved with your board
of directors of some kind, andif not, you need to figure out
how to get that influence there.
Okay, so the following rolesthat we're gonna talk about here
are responsible for the securityof the data.
They're not static orpredefined, and in many cases,
these are a learned skill, whichas we get into these various
(18:36):
roles, you'll see that you youmay not never done data owner
for a company.
You may have to learn it.
And we're gonna get into thathere in just a second.
But you need to understand thatas you're going and trying to
understand data security foreach of these specific roles,
you need to have a good plan.
Job descriptions and skillsshould not be defined in the
role itself specifically.
Uh, those that would be aspecific area that's outside of
(18:59):
what we're talking about.
So let's just kind of getstarted and it'll make more
sense as we go.
So, a senior manager, this is aperson that is assigned with the
ultimate responsibility of thesecurity for the data, for the
information itself.
They have approval authorityover the data.
So I ran into this as an examplewhen I was dealing with various
uh intellectual property type ofthings.
(19:21):
So as I'm trying to get thisdata secured, as I'm working
with the senior leaders on this,one of the things that came out
is they came, they always cameback to me and said, Well, hey,
Sean, you can approve this.
You're the data owner or you'rethe senior manager, you can make
this all happen.
And I said, No, I said, I cannotapprove this.
The reason I say that is becauseat the end of all of this, I am
not the one that's ultimatelyresponsible.
(19:41):
I am responsible, and if thingsgo sideways, it's on me.
However, that being said, I'mnot ultimately responsible for
that.
Now, the the situation where itoccurred incurred was the fact
that the CEO, it came down to ishe was at the end of all this
officially responsible for it.
And he was the approvalauthority.
Now he did pass down the abilityfor me to approve it, uh, but if
(20:05):
there was any questions, I wassupposed to reach out to him and
I would I would also just informhim of any of the things that I
did approve.
But I wanted to make sure thathe was understanding that he was
the ultimate person responsiblefor the security and the
protection of the data itself.
If anything bad happened, ourboth of our heads would roll.
And I did this on purpose too.
One is he needed to have skin inthe game.
(20:27):
And the purpose is that if hewould just acquiesce this to me
and I ended up if things getscrewed up and and the data gets
exposed and people start comingback after me, I didn't have a
chair when the music stopped.
So I wanted to make sure thatthe CEO was fully invested and
fully involved so that if I godown, he goes down.
And that the point was that thiswas his data.
(20:49):
This wasn't just Sean going outthere being rogue.
And you have you as securityprofessionals need to be aware
of this.
No, no offense, but there'speople out there that will hang
you out to dry if they feel thatit'll work in their best
interest.
So you need to make sure thatyou have a battle buddy with you
when you go into any of thesesituations.
You do not want to be the onlyperson that has approval
authority for all thingssecurity.
(21:11):
You don't want that.
You do not want that.
You want to make sure thatthey're invested too, because
then when things go bad, whichthey will, uh they're not just
pointing fingers at you andyou're going, What do you mean?
We were in this boat together.
No, no, I wasn't in this boatwith you.
Yeah, yeah, they were.
So you need to make sure thatyou have that all done up and
ready to go.
Security professionals.
(21:32):
This is where an informationsecurity professional, they
follow the direction of thesenior manager.
Typically is not a decisionmaker, but they are influencers.
So I started off as a securityprofessional and then I ended up
being more of a securitymanager.
But it was more of aninfluencing standpoint when we
first began.
I would say some of the folksthat I used to work for me as
analysts were more of aninfluencer.
(21:52):
They did not have anyresponsibility, but they gave me
some influence on what theyshould, we should and shouldn't
do.
So that is an important part ofany organization.
You need to build that into yourcompany to make sure that all
folks that are securityprofessionals are a suc are an
influencer for you in therelationship of securing the
data within your company.
The next one is a data owner.
(22:13):
This is person who's responsiblefor classifying the information.
Now, it's typically a high-levelmanager.
In the case of myself, it wasthe foot the engineers that had
uh access to our intellectualproperty.
They knew what was best for thecompany itself, and so they were
a pretty high-level senior vicepresident kind of person.
Now, they can delegate thisresponsibility to the data
custodian, which we're going togo here into in just a minute.
(22:36):
But and they they may go, well,you know what?
I don't have time to approve allthis.
Uh you you have it, Mr.
Cust Mr.
Custodian.
So they had a situation where wehad a senior vice president, he
was in charge of the data.
Uh, any sort of responsibilitywith it was run by him.
However, he also had folks thatwere his senior leaders that he
delegated this responsibilitydown to as well.
(22:57):
So he didn't become thebottleneck and the choke point
for if approvals needed tooccur, we would reach out to him
and then he would approve it.
If he wasn't available, then wewould reach out to his senior
leaders and then they wouldapprove it.
So there it's a good uhhierarchy of data owners and
have data custodians.
So intellectual property is areally good example of how this
can work.
You know, who can approve uhSharePoint sites, who can
(23:19):
approve the data classificationschema, all of those things can
be done by the data owner andthen potentially passed down to
the data custodian.
Now, data custodian, which wekind of talked about a little
bit, they're assigned toimplement the classification
schema and they're designed todo that specifically.
They now, if you don't have alarge organization, you may your
data owner and your datacustodian may be the same
(23:39):
person.
Or you may have two data ownersand and they both operate as a
data custodian.
So not all organizations willhave this.
It's it's just a term that youneed to be aware of for the
CISSP and if your organizationmay need it.
Now, the perform activities toensure that the uh
confidentiality, integrity, andavailability triad triad is met.
Um, an example of this, like wekind of just quickly talked
(24:01):
about, is your IP owners.
I have had the IP owner delegatethat down to some of my security
professionals because they feltconfident enough that this
person knew enough about theintellectual property to do that
as well.
So your data custodian typicallyis delegated from the IP owner
or the data owner itself, Ishould say.
And it could be someone withinthe IP space or someone that
(24:24):
understands that data, or itcould be somebody else.
It just really depends.
There's no specific job functionthat has to have it.
Again, you deal it based on yourorganization and what your needs
are.
User, this is any person whoaccesses the data, a data or its
secured system as well.
They must uphold slash meet thesecurity policies set forth.
(24:44):
This is why policies are animportant part of any
organization so that they aremet by your organization.
Users need to be aware of themso that way they don't go out
and go rogue and do things theyshouldn't do.
Or in the case of when you'redealing with your security
aspects, your user goes out anddoes things that you don't want
them to do, and then because youdidn't have a policy in place,
they go, Well, there's nopolicy.
What says I can't do this?
(25:05):
And then you have nothing.
As a security professional, youhave nothing to hold them
accountable.
Uh, and it's just painful.
So then you're like, okay, fine,you got away with this one.
Now I gotta make a securitypolicy.
And then they do it again, andyou're like, Well, I didn't have
my security policy done whenthey did it again.
Well, yeah, see, it's not done.
So then what do you do?
You fire them.
Yeah, no, you gotta figure out.
But you build a case besidesthat.
You do, yeah, I had thatsituation.
(25:26):
Does it sound like it's kind ofa raw statement?
Yeah.
That happened to me when I firststarted.
I had didn't have a policy,goods policy in place relating
to cybersecurity and IP issues.
Person decided to sharepasswords of IP-related
information.
And what ended up happening isthen I didn't have a leg to
stand on to try to get thisperson booted.
So, yes, I then quickly startedputting things together and they
(25:48):
did it again, and but I hadenough documentation to get them
fired.
Uh so again, the ultimate pointis you're it's a constant race
that you're dealing with.
If you build your governanceprogram right and you do it well
the first time, it can make yourlife a whole lot easier in the
long run.
Auditor.
This person is responsible forreviewing, verifying the
security is properlyimplemented.
(26:08):
This can be delegated to theinformation security
professional.
Um, it can be done to a lot ofdifferent people.
Like I was see, so I was anauditor at times for different
organizations within my company.
I also had some of my securityprofessionals that worked for me
uh that were auditors for uhwithin my company.
So they're very helpful.
So it just depends.
You can have internal andexternal parties.
I highly recommend that if youdon't have an external auditor
(26:31):
uh company on hand, you probablygo out and find one.
Uh there's I would highlyrecommend though, I say that a
lot, that you don't just go findthe ENYs of this world.
They are expensive.
Yes, they're crazy expensive,and there are other companies
out there that can do just asgood of a job.
Uh ENY and those guys willcharge you a fortune, and they
say, Well, we're E and Y, so youare amazing, and we are amazing.
(26:53):
Yeah, so I'm not bashing ENY,I'm just saying you can get a
lot, you can get just as good ofa product from someone that's
probably half that price.
And I'll go plug next peak.
Ha ha.
If you go to next peak, we canhelp you.
Most definitely, we can help youget any of your auditor
assessment work done at about athird of the price.
Yeah, or half to a third.
Yeah, somewhere right aroundthere.
Don't quote me on that, butyeah, we can help you immensely.
(27:14):
So again, that's again, go todifferent internal or external
parties to help you with that.
Security control frameworks.
Now, these are a structured setof security controls, policies,
and best practices used tomanage the cybersecurity risk.
And you're gonna see this asyou're dealing with a framework,
and there's different types thatare out there, but you're gonna,
as you get into those, you'regonna see that they're designed
specifically to help you managethe cybersecurity risk.
(27:36):
They're designed to provideconsistency, consistency, and
repeatability for securingsystems, data, and the
operations.
So as you go into thesedifferent types of frameworks,
you will see the differentlevels.
You're also, if you startcomparing them, you'll notice
the differences between them.
If you look at that, like Isaid, CRI versus ISO versus CSF,
there are differences.
And again, based on yourcompany, you need to pick the
(27:56):
one that's best for you.
There is no easy answer to this.
There is a consistent processyou have to kind of follow to go
through it.
Now, it helps an organizationsystematically identify,
implement, and monitor securitymeasures.
And then it does help yousupport your compliance and risk
management plans for yourorganization.
And the bottom line is if youcan do this, it helps also
indicate your maturity of yourcompany.
(28:18):
Uh, we we've seen this when wedo audits and assessments.
If you have a lot of thesethings in place, uh you will
show it will show that you are avery mature organization.
If you do not have things inplace for what the framework
will say or the mapping of thedifferent frameworks say, you
will then look like you do nothave a good uh maturity level,
and therefore it could affectyou from insurance risk in a lot
(28:38):
of different ways.
Now, the importance of this isit helps standardize the
security approach across yourteams and your systems.
It also allows you to help talkto your senior leaders and
ensure that they are alignedwith what you're planning on
doing.
And that kind of goes to thelast bullet of ensures alignment
with your business goals andregulatory requirements as well.
So frameworks are an importantpart, and it's something you
really, truly need to integrateand adopt within your company.
(29:01):
Now, a little bit about thebackground above of these.
They were developed in responseto this different threats that
we're seeing out there.
And some examples we've talkedabout is ISO 27001, COBIT, NIST
8853, or the cybersecurityframework as well.
Those are all out therespecifically for you to use.
Now, again, more complex ITenvironments are causing this.
(29:21):
Also, the integrations with manythird parties.
Your third party uh risks thathave really increased over time,
and it's imperative that youhave these frameworks to help
highlight some of these risksyou may have with third parties.
Indeed, it also is an importantpart where you reach out to your
third parties and see whatframeworks they are using.
If they aren't even using anysort of governance aspects, so
(29:43):
no frameworks they're following,then that might give you a
little more indication of wheretheir security program is at.
So you need to have ameasurable, auditable security
practices.
That's the ultimate purpose ofit.
And then your integration withrisk management and business
processes is an important part.
Now, again, there Their moveaway, the trend that we're
seeing now is that you're movingaway from compliance-only focus
(30:04):
to a risk-based approach.
What does that mean?
Well, so in the past you had togo through the checkbox, right?
Now they're moving towards a Isay it's risk-based, but it is
risk-based in the fact of yourcontrols, but it's also
compliance aspects as well.
So when you're dealing withrisk-based, is that if you have,
do you have multi-factor inplace?
Yes.
Okay, so great.
(30:25):
That's that would be a checkbox.
You have multi-factor.
From a risk-based standpoint,you may say, we have
multi-factor.
However, we're not going toallow uh MFA with text.
So, like if you text you anumber 2536, um that number you
could be intercepted.
So therefore, we will not allowthat from a risk-based system.
It is multi-factor, but it's aweak form of multi-factor.
(30:47):
We are going to require you touse an application of some kind.
That would be more of arisk-based approach, depending
upon the situation of thecompany.
If it was compliance only, it'slike, yes, checkbox done, uh,
and therefore you're good.
But the risk-based is focused onwhat is really going on within
your company.
But that also requires you to berelatively mature in what your
(31:08):
security program looks like.
In the beginning stages, you mayjust go with more of a
compliance-only focus becauseyou're just trying to get things
working.
But uh, and you may then migratemore towards a risk-based
approach in the future.
It just really depends on youand your organization.
The integration with DevSecOpsis an important part, as well as
cloud security and obviouslycontinuous monitoring.
All those are modern trends thatwe're seeing within the
(31:30):
framework space.
So, some core characteristics inhow this is built out.
This is organized collection ofcontrols grouped by functions,
such as identify, protect,detect, respond, and recover.
That's focused on thecybersecurity framework aspects
of this.
Now, I will tell you that thereare like the CRI has identify,
protect, detect, respond, andrecover, and then it has a
(31:50):
couple more that's added to it.
So it just depends.
They're adding a little bitmore.
A lot of it's around resiliency.
Uh, it's repeatable, it'sdesigned to be applied
consistently across differentsystems and environments.
So again, it's a it's aguidepost, it's to help you move
in that direction.
It's measurable, it provides abaseline for performance metrics
and audits.
And like we talked about before,it you want to have metrics.
(32:12):
You want to have something thatis measurable.
Without that, you you reallydon't truly know the status of
your overall security for yourorganization.
Now there's examples of securitycontrol frameworks, which would
be the NIST CSF, ISO 27001 and2, uh, Critical Infrastructure,
that's the CIS, then PCI, DSS,those are specific.
I talked about uh CRI.
(32:32):
CRI is one that is not industryspecific around the financial
industry, but it is focusedspecifically around the
financial industry, but can beused in many different formats.
It's it's a very ubiquitous typeof product that's out there.
So I highly recommend it.
I just do, I fell in love withit doing that one consulting gig
that I had.
Um, and I think it's reallyimportant for organizations to
(32:54):
use CRI, at least to look at it.
Maybe use it as a litmus againstthe CSF.
I think it's probably best.
If you're just getting started,start with CSF.
And then as you get more mature,you want to use incorporate CRI
in places where it makes sense.
Now, what it isn't, okay, it'snot a one-size-fits-all
solution.
It does require tailoring tomeet your business size, your
(33:14):
risk profile, and your specificindustry.
You have to do that, just kindof like we talked about already.
Um, it's not a security productor tool, it's a blueprint.
It's gonna help you get downthis path.
It's guideposts to help you.
It's not a software or any typeof hardware.
Now, there might be software outthere to help you manage it, but
in reality, it's not a softwarethat you can push an easy button
(33:35):
and it will work.
So it's more of a guidance and ablueprint to help you down this
path.
Uh, it's not a guarantee ofsecurity, right?
Um, it will reduce your risk,but if you do everything that's
that you can and you follow theframework and you do it
specifically to a certainconsent or a certain point, you
still can get hacked.
That is not gonna stop it fromhappening, but it will reduce
your risk substantially frombeing uh affected by an attack.
(33:59):
So again, keep that in mind.
Uh, and that's one thing youneed to set examples and set
expectations with your seniorleaders of going, hey, once we
put this in place, we are freefrom any cyber risk.
Do not say that, right?
That is not what you want themto understand or convey to them.
You want to say thisdramatically reduces our risk,
but we still have a risk outthere because it's going to cost
a lot of money and time toimplement these frameworks, a
(34:21):
lot of it and opportunity costs,but at the end of it, you're you
have to express to them that theamount of money spent and time
spent is going to reduce theiroverall risk to the
organization.
It's not a replacement for riskmanagement.
Frameworks support riskmanagement, but do not make risk
decisions for the organization.
So again, they help you guideyou and put you in a direction,
but they will not make thedecisions for you.
(34:44):
Now, when you're dealing withmapping, we're gonna kind of
talk about mapping here in justa minute.
So this aligns with multipleframeworks for compliance
efficiency.
And well, in this case here,we're gonna talk about the CSF
and we're gonna talk to HIPAA.
But in the case, you can have itgo to CSF to 27001, SOC2, CIS
controls, you name it.
You can have that set up.
But it helps avoid duplicationof effort and it helps reduce
(35:08):
because some of these can getvery large and uh onerous.
And if you have this mapping, itcan help the auditors understand
why you mapped these certaincontrols to the certain effect.
So it simplifies audits acrossmultiple standards, it improves
coverage and identifies gaps,and then it supports enterprise
res uh enterprise-wide riskmanagement strategy.
I do like the mapping piece ofthis, but again, pick the
(35:29):
appropriate map for you based onwhat you're using.
Uh so you in the case of this, Iuse HIPAA, even though they're
two different separate one thatdeals with risk and one is not
more compliance driven.
You you may have that situationcome up.
You may not be one-for-one.
So you have to decide which isbest for you and your
organization.
So, in the case of this, uh youcan see on this table, we have
(35:50):
this NIST CSF function on theleft side, and then you have the
HIPAA security rule in themiddle, and then what would be
an example of theimplementation?
Now, there's various differenttypes of mapping tools that are
out there for you.
You can find them all over.
You can find a CRI's got from uhNIST Cybersecurity Framework to
CRI, you've got uh the CSFframework to HIPAA, you've got
(36:11):
all kinds of different piecesthat are available to you.
So if you look at the table, itbasically comes around and says,
and if you guys that arelistening to that, we'll kind of
walk you through it, but ifyou're watching, you're seeing
the video, you can kind of seewhere it's at.
Uh you have your identify, whichis your, they break it down into
a format, ID, right?
So that's identify.
And then you have assetmanagement, which would be ID.am
asset management.
(36:32):
In the asset management case,the HIPAA security rule that
would map to it would be 164.310delta two and then three.
So I mean it goes down indifferent levels.
And this is basically device andmedia controls and
accountability.
And those that's what maps tothe identify and asset
management piece of this.
(36:53):
And the example would be ismaintain inventory of hardware,
software, and media storage toinclude electronic PHI.
So that is what would meet andmap to the NIST cybersecurity
framework and HIPAA.
This continue to go down in riskassessment, and they have one
for in the HIPAA for riskanalysis, and then that would be
perform periodic risk analysisto identify threats,
(37:14):
vulnerabilities to electronicPHI.
And then protect is accesscontrols, and they have access
control within HIPAA, and thatis to implement unique user IDs,
emergency access, and automaticlogoff for systems containing
electronic PHI.
So you can see that the ultimatepoint is that it will map in
CSF, it maps in HIPAA, and itgives you a function of what you
(37:36):
can do.
That being said, some of these,like in CRI, I keep going back
to it, they actually haveevidentiary aspects where you
have to have an evidence to showwhat are some things that you
would have.
So they don't just leave it upto you to figure out what is the
evidence to support you haveunique user IDs.
And then you would documentthose unique user IDs.
So again, it's cool.
(37:56):
Some keynotes to think about,takeaway from this slide, it's
not a one-to-one, right?
Mapping is conceptual.
HIPAA is prescriptive while CSFis risk-based and flexible.
So again, you you're gonna haveto, it's not one for one, but it
gives you a great guidepost onwhere you should go.
You need to tailor yourrequirements, each organization.
You've got to adjust yourcontrols based on size,
complexity, and riskenvironment.
(38:16):
It it will vary from ahealthcare to a manufacturing
facility.
There are gonna change.
Usefulness mapping does simplifycompliance efforts and reduces
redundant controls and helpsimprove the audit readiness that
you are for an internal audit oran external audit.
So mapping is it's a really avaluable tool.
It truly, truly is.
Now, due care and due diligence.
(38:37):
So, what is this?
So, acting prudently byimplementing reasonable security
measures based on known risks,reflecting on what a reasonable
person would do.
So that is what we call duecare, right?
So, due care is the reasonablecare of protecting interests of
a new organization, and it's aproactive approach to securing
your environment.
It's ensuring that you have thatin place.
You create a culture ofsecurity, it helps you do that,
(38:59):
and then ensuring that allthings are in proper order.
That's taking the care, thetime, the effort to ensure that
you're doing what you should doto help secure the organization.
So, in example around this wouldbe enforcing access controls and
employee training, uh,developing an instant response
process or business continuityplans, and then applying
patching and having a goodvulnerability assessment program
in place.
So that would be what theyconsider due care, right?
(39:22):
It demonstrates accountability,failure may lead to negligent
claims or penalties.
What does that mean?
If you don't do due care, that'sdo do, if you don't do the due
care, uh you could actually openyourself up for litigious
situations.
Honestly, any of this stuff, ifyou don't do it well, you you
could be sued.
And in today's world, youprobably will be.
So yeah, the more you can havein place, it will definitely
(39:42):
take the air out of theattacker's room, I should say
the litigious lawyer's room, uh,if you have a lot of these
different aspects in place andyou are doing them from an
accountable standpoint.
Okay, so now we're dealing withdue diligence.
So if you're dealing with duediligence, this is the
systematic researching andunderstanding risks, threats,
and vulnerabilities toorganizational assets through
(40:02):
ongoing investigation.
Means you're studying youradversary, what you're digging
deep into what they are.
So it's practicing theactivities that maintain a due
care effort.
So all the stuff you put in fora due care, you're trying to
maintain that.
Now, this requires carefulnessand reasonable care.
Now it's an approach to securityversus random or haphazard, and
it's basically you're taking aplan, you're thinking about the
(40:22):
adversary, you're thinking abouthow they might attack you, and
you're putting things in placeto mitigate that risk.
This is a must.
If you don't heed this warning,it will cost you.
That's very, very true.
You need to do your work, youneed to understand the threat,
you need to put protections inplace for it.
So, examples of this conductinga vendor background checks,
performing security audits andthreat intelligence gathering on
(40:43):
the bad guys and girls,reviewing industry benchmarks
and for risk exposure.
So if you're following, let'ssay, the framework for
manufacturing and you are afinancial institution, that
would not be due diligence.
You would be goofing up.
Now you're doing due carebecause you're following a
framework, but you're not doingthe diligence needed so that the
best framework or benchmark youwould be using would be
something in the financialindustry.
(41:05):
So again, you want to make sureyou focus on what you're
supposed to do.
Who's the adversary, who's theattacker, what is your best
practices for your industry, andare you following them?
Now, the importance of thisenables informed decision making
to maximize liability uh or tominimize liability and to
protect the organizational valuethat you have.
So, okay, that's all I have foryou today.
(41:27):
Head on over to CISSP CyberTraining and go check it out.
There's a lot of great stuffthere for you.
It's amazing.
Again, a lot of free things.
You can't beat it.
Uh you can get my rapid reviewproducts, you can get all of my
CISSP.
I have a bunch of CISSPquestions for you to get.
Lots of great free content.
If you think you need a bit moreand you need like such as my
(41:47):
10-day boot camp, you need my uhthree, four, or five month boot
camp, uh training blueprint,that's available to you.
You just you can have paidproducts that are on there for
you as well.
So go to CISSP Cyber Training,check out all the stuff that's
there, and I tell you right now,you will not be sorry if you
did.
If you're studying for theCISSP, it will help you pass the
doggone test and get on withyour cybersecurity career.
(42:10):
All right, have a wonderful day,and we will catch you all on the
flip side.
See ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes.
I would greatly appreciate yourfeedback.
Also, check out my videos thatare on YouTube, and just head to
my channel at CISSP CyberTraining, and you will find a
plethora or a conocopia ofcontent to help you pass the
(42:31):
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber, andI'm your host for this
action-packed informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:21):
All right, let's get started.
SPEAKER_01 (00:25):
Good morning, everybody.
It's Sean Gerber with CISSPCyber Trading and hope you all
are having a beautifully blessedday today.
Today is what?
Yeah, CISSP Monday.
So we go over different docdifferent types of training on
CISSP Monday.
And we are going to be goingover domain 1.3, evaluating and
applying security governanceprinciples.
(00:48):
Yes, security governance.
Some people don't like it, somepeople don't do it.
But guess what?
You should pay attention to it.
And if you're taking the CISSP,you're going to expect to be
now, you're going to have toknow it.
Yeah, just going to have to knowsomething about it.
So this is a goal to talk aboutdomain 1.3.
And as you know, if you've beenlistening to the CISSP podcast,
Cyber Training Podcast for anyperiod of time, we go over this
(01:11):
on Mondays, and then we tend togo over questions on Thursdays.
And that's just kind of somedeep dive kind of questions
around the domain that we'recurrently talking about.
But before we do, I wanted toget into an article that I saw
that just hit the news this latelast week.
So in this article, this is thehunt for Red November.
This is kind of a spin off ofthe movie Red October.
But the ultimate thing is thatthat's they labeled this uh
(01:33):
attack method as the RedNovember.
And the Chinese government hasbasically hacked different types
of organizations uh through thepast year from June of 25 to
July, I should say June of 24 toJuly of 25.
Uh they're basically going afterany internet-facing appliances
that are set deployed on aGo-based backdoor called
(01:53):
Pentagena.
And then they're using otheroffensive type of tools such as
Cobalt Strike and Spark Rat.
So these are all being used bythe Chinese government to gain
access to these systems.
Now they've been focusedprimarily on uh the, like I
said, internet-facing appliancesand VPNs.
Um, you know how much I loveVPNs.
If you've listened to thispodcast for any period of time,
(02:15):
you know that I have a specialaffinity for VPNs.
I love them.
They're the best.
If you're a hacker, um, yeah,they're they're great.
I love VPNs.
Uh the the point of it is is youyou want to try to get off VPNs
as much as you possibly can,unless you absolutely have to.
But they've been focused onaerospace and defense, uh,
government bodies, andprofessional services for all of
their attacking needs.
(02:36):
Now, as they're doing this, theyfocused on the industrial base
and and uh they're they'retrying to gain a more of a
foothold within obviously all ofthese different types of
entities to include U.S.
critical infrastructure.
The ultimate goal, like I Imean, we don't know because I'm
not uh part of the Chinesegovernment inside their their
hacking division.
But if I was them, what I wouldwant to do is get access to all
(02:57):
the U.S.
critical infrastructure,actually global critical
infrastructure, and have atoehold in all of it.
Uh the ultimate point is that ifanything, the balloon goes up
and there becomes a shooting warbetween countries, they are in
control.
They flip switches and things godark.
Once that happens, it causeschaos and pandemonium.
And, you know, if you're goingto uh attack an attacker or
(03:19):
going to attack someone, youwant to make their life painful.
And if you can sow concern, youcan sow discord and make
confusion occur with thesefolks, then what ends up
happening is you have an upperhand as it relates to dealing
with the the war or whateveryou're gonna be doing at hand.
So it's a smart call if they'regoing to be doing, I don't agree
with it, because I would beprobably on the receiving end of
(03:42):
that, but it's a good call.
Um there's different types oforganizations that have been hit
with this.
Um they're they're talk, they'rebasically talking about also um
that they focused on thePanamanian government.
There was an interesting uh partof this, is like why would they
deal with Panama?
Well, back in that period oftime, the U.S.
government was focused onPanama.
I they probably still are, butthey just hasn't hit the news as
(04:04):
of late.
And the U.S.
government uses the Panama Canaluh to get their military
aircraft military ships from theAtlantic to the Pacific.
And also a lot of global tradegoes through the Panama Canal.
If you close up the PanamaCanal, well then everybody has
to go around the uh south tip ofSouth America, and that makes it
extremely uh challenging, uh,both from a shipping standpoint
(04:27):
because it's very, veryprecarious from an ocean
standpoint, but it also makes itvery long and painful.
So they nobody wants to lose thePanama Canal.
However, that being said, theChinese government has been
actively involved in the Panama,Panamonian government and wants
to have some level of influencedown there.
So there's a lot of subterfugethat's going on as it relates to
(04:48):
all of this.
But the ultimate goal, though,is that they've tried to get
access.
Now they don't think that the uhChinese government was able to
get access to any of thesesystems.
Um, that being said, there thisis one campaign of many, and
they're always trying to dosomething.
So if you have a VPN, then youshould just open it up and let
them in.
No, I'm joking, you don't wantto do that.
But if you have a VPN, youbetter make sure it's tight.
(05:10):
You better tie that booger downbecause uh they are a great tool
for some bad actors to getaccess to your network, and you
will never even know they're inyour network.
Now, how they got access to thisis through a Cisco firewall
vulnerabilities that were outthere.
And this is CVE 25, it's two20,033 and 20,362.
(05:31):
And it does allow for read-onlyand memory modifications, which
did provide them the persistent,long-term persistent um access
to these systems.
So, again, you can modify theread-only memory.
If you can do that, every timeyou reboot the system, what ends
up happening is your Trojan,whatever you have for your
software that's running on thereto be able to guide gain you
(05:51):
access, is able to be redone.
So therefore, you always have apersistent access to these
systems.
The act the ability to mapmodify read-only memory is a big
deal.
So if there that obviously theyfixed that CVE or that issue.
If you do have any sort of Ciscofirewalls, you'd want to make
sure that that patch has beenapplied because uh you don't
(06:12):
want to allow anybody to haveany sort of read-only access to
your system.
Okay, so that is what I wantedto talk about today.
Again, this is the uh hunt forRed November, and the Chinese
government hacked critical orgsfor a year-long snooping
campaign.
You can go check it out at theregister.
Okay, let's get started aboutwhat we're gonna talk about
today.
Before we get started, I want todo a quick shout out for CISSP
(06:35):
Cyber Training.
Head on over to CISSP CyberTraining and check out all the
great stuff we have out therefor you.
We have free content.
I have gobs of questions outthere.
I have free CISSP rapid review.
I have all of those things thatare out there specifically for
you to help you study for theCISSP exam.
And it's all free.
There's a big chunk of it thatis free.
(06:55):
All I need is your emailaddress.
That's it.
That's all we ask of it forCISSP Cyber Training to gain
access to them, all of my freecontent.
And you get that everywhere.
But it's, I mean it.
It's really good stuff.
I give some of my friends keeptelling me, you give out a lot.
And I'm like, yeah, I give out alot because I want you guys to
pass the CISSP.
However, if you are want somemore stuff, such as these videos
(07:16):
that we're doing we do, or theaudio trainings that we do and
the videos that we do, all ofthat stuff is packaged together
and curated for you step by stepto include my development of a
new 10-day boot camp as well asa five, three, four, and five
day or three, four, and fivemonth uh plan for you to be able
to study the CISP.
(07:37):
Depending on your needs andwhere you're at.
I've got the boot camp that canbe done in 10 days.
I also have a longer programthat's available to you as well.
All of that is in the paidcontent, but again, it's not
that expensive in reality of youpassing the CISP and the amount
of money you can make gettingthe CISSP.
It is small potatoes.
I mean it really is smallpotatoes, not much there.
(07:57):
But again, go check it out atCISSP Cyber Training.
Okay, let's get started.
Domain 1.3, evaluate and applysecurity governance principles.
Okay, so security governanceprinciples, these are key
concepts that we're gonna getinto around the security
governance.
And I will tell you, when Ifirst started uh looking at
governance, it confused me.
(08:17):
I didn't quite get it.
I didn't understand it.
And and in reality, working inthe manufacturing space, I I
understood it and I knew theneed for it, but there was no
requirement that I needed to doit.
And so, therefore, me to get theto have me help get CEO and the
CIO on board, it took a lot ofinfluence to make them do this
(08:38):
because they didn't see thevalue.
There was no, I mean, the riskis there, you've got plans in
place.
Where's the value in this?
Now, as we grew the securitygovernance program of my
company, they they saw the valueimmediately.
However, they it took a longtime to get them moving.
That being said, is that now,depending upon where you work,
you may have a strong set ofgovernance and compliance
(09:01):
requirements that you have to doto make it because of a
regulatory uh bodies that willsay that you have to do this.
So it's an imperative thing.
It really truly is, and we'regonna go into details around
that, but I highly recommendthat you don't blow off security
governance for two reasons.
One, it's on the CISP exam.
Ha ha, so don't do that.
And two is it's gonna be veryhelpful for you if you get it in
(09:23):
place, you deploy it well, andyou manage it correctly, it will
go a long way for you.
So here's the definition ofsecurity governance.
It's a set of responsibilitiesand practices exercised by the
board and executive managementwith the goal of providing
strategic direction, ensuringthat the objectives are
achieved, and ascertaining therisks are managed appropriately
(09:44):
and verifying, that's a lot ofhands, and verifying the
enterprise's resources are usedresponsibly.
Okay, so that's a big run-onsentence.
That's a paragraph with lots ofbig$10 words in it, and you're
going, okay, that's yawn, that'sa lot of stuff.
Yeah, it is, it truly is.
But the ultimate thing is tokind of break out of this is one
executive management goals,objectives, right?
And that is to ultimately getwhere you where you want to go.
(10:06):
So again, if you have goals andyou have objectives and you help
an executive managementunderstand what those are, that
is a win.
Why is that?
Well, at the end of the day,they support you.
And if you can tell them whatyou need and you can uh make
that happen, that is a winningthing.
One, it helps make your companysecure.
Yay! Two, it also will help youmake more money.
(10:27):
Yay.
So you want to be able to dothese things to ultimately help
the company, but at the sametime, financially, it can do a
lot of benefit for you as well.
Now, security governanceprinciples, they're a group of
security practices that definethe security of an organization.
We kind of talked about thatalready just a little bit.
They're integrated or imposed,yet they can be imposed in
(10:49):
various forms or purposes bydifferent needs andor
requirements.
Obviously, we talked aboutregulatory and compliance pieces
of this.
Are you tied into CMMC?
That's the defense industrialbase here in the United States.
Yes, you must follow, have agood governance program in
place.
Are you in the financial sector?
Yes, you need to have a verystrong uh regulatory or I should
say uh compliance slashgovernance plan in place.
(11:12):
If you're in the industrialstandards, you're getting more
and more of that with ISO 27,001and there are many others,
right?
That it's coming.
Whether you like it or not,regulations on cybersecurity are
coming.
They have been prettyloosey-goosey for the past 10
years.
Um, but as it's becoming moreand more apparent that cyber is
uh is here to stay and can causeall kinds of chaos and
(11:35):
pandemonium, i.e.
airplanes and uh getting shutdown at airports and all that
kind of fun stuff, yes, that isgoing to be a bigger factor.
Compliance is going to come intoplay.
So if you're not considering itnow, you should.
If you're a cybersecurityprofessional, when you get to an
organization and they're notdoing compliance or governance,
you need to really think hardabout how to help them
(11:56):
understand the need for itbecause it's coming.
And if you don't plan for it, itwill probably get catch you flat
footed and you will have to thenbe start running where you're
going.
So flat-footed basically meansyou're not jogging, you're
sitting there still, and thenall of a sudden you're like, oh,
I gotta go.
So then you start running.
But it's better to be runningand then and in that process,
even if it's a light jog, uh,than it is to be standing still.
(12:18):
So there's audit and assessmentsof these different governance
principles can occur.
This can be done internally orexternally, depending upon one,
the need of the requirement.
You may have uh entities thatrequire you to have an auditor
assessment done.
Uh, or you may have to pay foryou may not have the money for
it, you may have to figure thatout too.
So there's all kinds of issuesthere.
(12:38):
Or it can be done internally.
You may have an internal auditsuh group that will do this for
you.
I have been on plenty of thesewhere the audit team does not
really understand cyber, so theywill bring with a with them a
and basically an analyst of somekind to help them during the
assessment.
Uh, they work also very closelywith your CISO to understand
what are some of the things theyneed to be aware of.
(12:59):
So I've done autos with bigcompanies, ENYs, all these
different types of companies,and they've they come with a
pretty strong subset of peoplethat do get it.
However, that being said, I'vehad to do a lot of hand holding
with them as I walk through whatI have in place.
So depending on the size of theorganization, this also can be
limited or can be very complex.
Big organizations can be verycomplex.
(13:20):
If it's a small organization, itcan be limited and much easier
to do.
That being said, that doesn'tmean you should just kind of
blow it off.
Don't do that.
It's an important part.
It really truly is.
I was not always a big fan ofaudits and assessments.
I thought they were justpaperwork-driven messes and you
just had to do check the box.
I'm like, oh my gosh, this isjust painful.
It just takes time and it costsme money.
(13:41):
Correct, it does.
It takes time and it does costyou money.
However, uh, if you do it rightand you do it right the first
time, you don't have to be youdon't have to do it right a lot.
That's not the right word tosay.
You always have to keep doing itright.
You just don't have to do asmuch.
You just have to tap the gas alittle bit.
So if you set the program upreally well, and then once it's
(14:01):
going, you just tap the gasevery so often.
Basically, what I mean is makemodifications, change anything
that's just changed, then itisn't nearly as terrible.
I mean, it just isn't.
But the getting started takestime, and you better plan
yourself that this is if youdon't have it and you're a good
size organization, this is amulti-year type of journey.
So you can follow the differentframeworks that are out there.
(14:23):
There's 853, 800-100.
These are all from the NationalInstitute of Technologies or
from ISO.
The 27,001 folks will havesomething as well.
There's lots of differentprograms out there.
Um working with Next Peak and mycompany, we have been able to uh
work with a lot of financialinstitutions, and there is a
product out there called CRI,which is your Cyber Risk
(14:43):
Institute, and they have areally good governance layout on
what you should have for yourgovernance program.
If you can follow CRI, you arein business, man.
You've got a lot of good stuffin place.
Uh, even if you and I wouldhighly recommend that you go
look at it, even if you don'thave a say maybe you're using
cybersecurity framework forsomething like that, the CSF.
(15:04):
I that's fine, and I thinkthat's great, but I would go
look at CRI because from whatfinancial institutions are
using, if you can fill out thatinformation for that, uh, it
will go a long way in helpingyour overall program.
The downside of it is as youlook at it, it can be a bit
overwhelming, and you may go,well, I can't do this.
And you're probably right, youcan't do this right away.
However, I would recommend youdo look at it and start planning
(15:27):
out maybe picking out of there,cherry picking, picking small
things that you feel you coulduse within your company and then
implement those as well.
So just something to consider atCRI Cyber Risk Institute's uh
framework for financialinstitutions.
The other thing is businessintegration.
It's not just an IT issue toresolve.
(15:47):
A lot of times this will comedown as your CEO goes, IT, you
guys fix it.
Just go fix it, make it happen.
And that's a wrong attitude tohave.
If you I'll be honest, if yourCEO takes that kind of approach
to cyber or your s or your COOor someone along those lines,
they just go, hey, IT, I wantyou to fix it.
I'm gonna be very transparent.
I would highly recommend thatyou do a great job for them, do
(16:07):
your best job for them, but lookfor a new job.
Uh the reason I say that isbecause unless somebody in
senior leadership, and thatmeans the CIO on up, and if it's
no, if it's lower than the CIO,I wouldn't even mess with it.
Uh, but your CISO, obviously,but your CIO and on up, if they
don't take cyber seriously, um,you need to look for a new
organization.
The reason I say that is becauseat some point they're gonna get
(16:29):
pwned and you're not gonna wantto be part of that dumpster
fire.
So you want to make sure thatyou are in an organization that
takes it seriously and theydon't just give it lip service,
which means they don't just talkabout it, they actually do
something with it.
Uh, that I'm just being verytransparent from a mentoring
standpoint.
I would do that.
Just think about it.
So it's not just an IT issue toresolve, and it's integrated at
(16:50):
all levels of the organization.
Governance needs to be.
Now, the if their leadershipsays, yeah, yeah, yeah, I'm I'm
on board, and they don't, well,that's your CISO's job, or if
that's your job, if you're theCISO, to help get them educated
and help them be part of thisgovernance program.
Uh, it can be managed by a groupor a committee, and I'd highly
recommend this.
Uh, they my the group of thecommittee that was managing it
(17:11):
for my organization was a moi,me, and that was not what I
wanted.
So I ended up having to bring incompliance.
I brought in HR, I brought inthe CIO, uh, many different
people that were helpful in thisgovernance process.
And this can report the findingsto the board of directors.
I highly recommend that youreport your findings to the
board.
They need to be involved inunderstanding what is actually
(17:31):
going on as it relates to cyber.
If your board is not part of theoverall cyber kill chain, it's
not really a kill chain, butinformation chain, then you may
want to start that process andwhat does that look like to be
able to get this information tothe board?
I mean, at the end of the day,the board's gonna be responsible
for this, so I would think theywould want to know.
It took me a long time, crazy asit sounds, to get in front of my
(17:53):
board of directors about ourcyber stuff.
Uh my CIO, very nice man, butwas a little hesitant on doing
that.
And I still to this day don'tquite understand why.
I think a lot of it comes downto is that it was so new and he
didn't want to baffle them withBS, which was basically confused
the fact that they didn'tunderstand it and he didn't
really want to even try toaddress it.
(18:14):
So I would highly recommend yourCISO is involved with your board
of directors of some kind, andif not, you need to figure out
how to get that influence there.
Okay, so the following rolesthat we're gonna talk about here
are responsible for the securityof the data.
They're not static orpredefined, and in many cases,
these are a learned skill, whichas we get into these various
(18:36):
roles, you'll see that you youmay not never done data owner
for a company.
You may have to learn it.
And we're gonna get into thathere in just a second.
But you need to understand thatas you're going and trying to
understand data security foreach of these specific roles,
you need to have a good plan.
Job descriptions and skillsshould not be defined in the
role itself specifically.
Uh, those that would be aspecific area that's outside of
(18:59):
what we're talking about.
So let's just kind of getstarted and it'll make more
sense as we go.
So, a senior manager, this is aperson that is assigned with the
ultimate responsibility of thesecurity for the data, for the
information itself.
They have approval authorityover the data.
So I ran into this as an examplewhen I was dealing with various
uh intellectual property type ofthings.
(19:21):
So as I'm trying to get thisdata secured, as I'm working
with the senior leaders on this,one of the things that came out
is they came, they always cameback to me and said, Well, hey,
Sean, you can approve this.
You're the data owner or you'rethe senior manager, you can make
this all happen.
And I said, No, I said, I cannotapprove this.
The reason I say that is becauseat the end of all of this, I am
not the one that's ultimatelyresponsible.
(19:41):
I am responsible, and if thingsgo sideways, it's on me.
However, that being said, I'mnot ultimately responsible for
that.
Now, the the situation where itoccurred incurred was the fact
that the CEO, it came down to ishe was at the end of all this
officially responsible for it.
And he was the approvalauthority.
Now he did pass down the abilityfor me to approve it, uh, but if
(20:05):
there was any questions, I wassupposed to reach out to him and
I would I would also just informhim of any of the things that I
did approve.
But I wanted to make sure thathe was understanding that he was
the ultimate person responsiblefor the security and the
protection of the data itself.
If anything bad happened, ourboth of our heads would roll.
And I did this on purpose too.
One is he needed to have skin inthe game.
(20:27):
And the purpose is that if hewould just acquiesce this to me
and I ended up if things getscrewed up and and the data gets
exposed and people start comingback after me, I didn't have a
chair when the music stopped.
So I wanted to make sure thatthe CEO was fully invested and
fully involved so that if I godown, he goes down.
And that the point was that thiswas his data.
(20:49):
This wasn't just Sean going outthere being rogue.
And you have you as securityprofessionals need to be aware
of this.
No, no offense, but there'speople out there that will hang
you out to dry if they feel thatit'll work in their best
interest.
So you need to make sure thatyou have a battle buddy with you
when you go into any of thesesituations.
You do not want to be the onlyperson that has approval
authority for all thingssecurity.
(21:11):
You don't want that.
You do not want that.
You want to make sure thatthey're invested too, because
then when things go bad, whichthey will, uh they're not just
pointing fingers at you andyou're going, What do you mean?
We were in this boat together.
No, no, I wasn't in this boatwith you.
Yeah, yeah, they were.
So you need to make sure thatyou have that all done up and
ready to go.
Security professionals.
(21:32):
This is where an informationsecurity professional, they
follow the direction of thesenior manager.
Typically is not a decisionmaker, but they are influencers.
So I started off as a securityprofessional and then I ended up
being more of a securitymanager.
But it was more of aninfluencing standpoint when we
first began.
I would say some of the folksthat I used to work for me as
analysts were more of aninfluencer.
(21:52):
They did not have anyresponsibility, but they gave me
some influence on what theyshould, we should and shouldn't
do.
So that is an important part ofany organization.
You need to build that into yourcompany to make sure that all
folks that are securityprofessionals are a suc are an
influencer for you in therelationship of securing the
data within your company.
The next one is a data owner.
(22:13):
This is person who's responsiblefor classifying the information.
Now, it's typically a high-levelmanager.
In the case of myself, it wasthe foot the engineers that had
uh access to our intellectualproperty.
They knew what was best for thecompany itself, and so they were
a pretty high-level senior vicepresident kind of person.
Now, they can delegate thisresponsibility to the data
custodian, which we're going togo here into in just a minute.
(22:36):
But and they they may go, well,you know what?
I don't have time to approve allthis.
Uh you you have it, Mr.
Cust Mr.
Custodian.
So they had a situation where wehad a senior vice president, he
was in charge of the data.
Uh, any sort of responsibilitywith it was run by him.
However, he also had folks thatwere his senior leaders that he
delegated this responsibilitydown to as well.
(22:57):
So he didn't become thebottleneck and the choke point
for if approvals needed tooccur, we would reach out to him
and then he would approve it.
If he wasn't available, then wewould reach out to his senior
leaders and then they wouldapprove it.
So there it's a good uhhierarchy of data owners and
have data custodians.
So intellectual property is areally good example of how this
can work.
You know, who can approve uhSharePoint sites, who can
(23:19):
approve the data classificationschema, all of those things can
be done by the data owner andthen potentially passed down to
the data custodian.
Now, data custodian, which wekind of talked about a little
bit, they're assigned toimplement the classification
schema and they're designed todo that specifically.
They now, if you don't have alarge organization, you may your
data owner and your datacustodian may be the same
(23:39):
person.
Or you may have two data ownersand and they both operate as a
data custodian.
So not all organizations willhave this.
It's it's just a term that youneed to be aware of for the
CISSP and if your organizationmay need it.
Now, the perform activities toensure that the uh
confidentiality, integrity, andavailability triad triad is met.
Um, an example of this, like wekind of just quickly talked
(24:01):
about, is your IP owners.
I have had the IP owner delegatethat down to some of my security
professionals because they feltconfident enough that this
person knew enough about theintellectual property to do that
as well.
So your data custodian typicallyis delegated from the IP owner
or the data owner itself, Ishould say.
And it could be someone withinthe IP space or someone that
(24:24):
understands that data, or itcould be somebody else.
It just really depends.
There's no specific job functionthat has to have it.
Again, you deal it based on yourorganization and what your needs
are.
User, this is any person whoaccesses the data, a data or its
secured system as well.
They must uphold slash meet thesecurity policies set forth.
(24:44):
This is why policies are animportant part of any
organization so that they aremet by your organization.
Users need to be aware of themso that way they don't go out
and go rogue and do things theyshouldn't do.
Or in the case of when you'redealing with your security
aspects, your user goes out anddoes things that you don't want
them to do, and then because youdidn't have a policy in place,
they go, Well, there's nopolicy.
What says I can't do this?
(25:05):
And then you have nothing.
As a security professional, youhave nothing to hold them
accountable.
Uh, and it's just painful.
So then you're like, okay, fine,you got away with this one.
Now I gotta make a securitypolicy.
And then they do it again, andyou're like, Well, I didn't have
my security policy done whenthey did it again.
Well, yeah, see, it's not done.
So then what do you do?
You fire them.
Yeah, no, you gotta figure out.
But you build a case besidesthat.
You do, yeah, I had thatsituation.
(25:26):
Does it sound like it's kind ofa raw statement?
Yeah.
That happened to me when I firststarted.
I had didn't have a policy,goods policy in place relating
to cybersecurity and IP issues.
Person decided to sharepasswords of IP-related
information.
And what ended up happening isthen I didn't have a leg to
stand on to try to get thisperson booted.
So, yes, I then quickly startedputting things together and they
(25:48):
did it again, and but I hadenough documentation to get them
fired.
Uh so again, the ultimate pointis you're it's a constant race
that you're dealing with.
If you build your governanceprogram right and you do it well
the first time, it can make yourlife a whole lot easier in the
long run.
Auditor.
This person is responsible forreviewing, verifying the
security is properlyimplemented.
(26:08):
This can be delegated to theinformation security
professional.
Um, it can be done to a lot ofdifferent people.
Like I was see, so I was anauditor at times for different
organizations within my company.
I also had some of my securityprofessionals that worked for me
uh that were auditors for uhwithin my company.
So they're very helpful.
So it just depends.
You can have internal andexternal parties.
I highly recommend that if youdon't have an external auditor
(26:31):
uh company on hand, you probablygo out and find one.
Uh there's I would highlyrecommend though, I say that a
lot, that you don't just go findthe ENYs of this world.
They are expensive.
Yes, they're crazy expensive,and there are other companies
out there that can do just asgood of a job.
Uh ENY and those guys willcharge you a fortune, and they
say, Well, we're E and Y, so youare amazing, and we are amazing.
(26:53):
Yeah, so I'm not bashing ENY,I'm just saying you can get a
lot, you can get just as good ofa product from someone that's
probably half that price.
And I'll go plug next peak.
Ha ha.
If you go to next peak, we canhelp you.
Most definitely, we can help youget any of your auditor
assessment work done at about athird of the price.
Yeah, or half to a third.
Yeah, somewhere right aroundthere.
Don't quote me on that, butyeah, we can help you immensely.
(27:14):
So again, that's again, go todifferent internal or external
parties to help you with that.
Security control frameworks.
Now, these are a structured setof security controls, policies,
and best practices used tomanage the cybersecurity risk.
And you're gonna see this asyou're dealing with a framework,
and there's different types thatare out there, but you're gonna,
as you get into those, you'regonna see that they're designed
specifically to help you managethe cybersecurity risk.
(27:36):
They're designed to provideconsistency, consistency, and
repeatability for securingsystems, data, and the
operations.
So as you go into thesedifferent types of frameworks,
you will see the differentlevels.
You're also, if you startcomparing them, you'll notice
the differences between them.
If you look at that, like Isaid, CRI versus ISO versus CSF,
there are differences.
And again, based on yourcompany, you need to pick the
(27:56):
one that's best for you.
There is no easy answer to this.
There is a consistent processyou have to kind of follow to go
through it.
Now, it helps an organizationsystematically identify,
implement, and monitor securitymeasures.
And then it does help yousupport your compliance and risk
management plans for yourorganization.
And the bottom line is if youcan do this, it helps also
indicate your maturity of yourcompany.
(28:18):
Uh, we we've seen this when wedo audits and assessments.
If you have a lot of thesethings in place, uh you will
show it will show that you are avery mature organization.
If you do not have things inplace for what the framework
will say or the mapping of thedifferent frameworks say, you
will then look like you do nothave a good uh maturity level,
and therefore it could affectyou from insurance risk in a lot
(28:38):
of different ways.
Now, the importance of this isit helps standardize the
security approach across yourteams and your systems.
It also allows you to help talkto your senior leaders and
ensure that they are alignedwith what you're planning on
doing.
And that kind of goes to thelast bullet of ensures alignment
with your business goals andregulatory requirements as well.
So frameworks are an importantpart, and it's something you
really, truly need to integrateand adopt within your company.
(29:01):
Now, a little bit about thebackground above of these.
They were developed in responseto this different threats that
we're seeing out there.
And some examples we've talkedabout is ISO 27001, COBIT, NIST
8853, or the cybersecurityframework as well.
Those are all out therespecifically for you to use.
Now, again, more complex ITenvironments are causing this.
(29:21):
Also, the integrations with manythird parties.
Your third party uh risks thathave really increased over time,
and it's imperative that youhave these frameworks to help
highlight some of these risksyou may have with third parties.
Indeed, it also is an importantpart where you reach out to your
third parties and see whatframeworks they are using.
If they aren't even using anysort of governance aspects, so
(29:43):
no frameworks they're following,then that might give you a
little more indication of wheretheir security program is at.
So you need to have ameasurable, auditable security
practices.
That's the ultimate purpose ofit.
And then your integration withrisk management and business
processes is an important part.
Now, again, there Their moveaway, the trend that we're
seeing now is that you're movingaway from compliance-only focus
(30:04):
to a risk-based approach.
What does that mean?
Well, so in the past you had togo through the checkbox, right?
Now they're moving towards a Isay it's risk-based, but it is
risk-based in the fact of yourcontrols, but it's also
compliance aspects as well.
So when you're dealing withrisk-based, is that if you have,
do you have multi-factor inplace?
Yes.
Okay, so great.
(30:25):
That's that would be a checkbox.
You have multi-factor.
From a risk-based standpoint,you may say, we have
multi-factor.
However, we're not going toallow uh MFA with text.
So, like if you text you anumber 2536, um that number you
could be intercepted.
So therefore, we will not allowthat from a risk-based system.
It is multi-factor, but it's aweak form of multi-factor.
(30:47):
We are going to require you touse an application of some kind.
That would be more of arisk-based approach, depending
upon the situation of thecompany.
If it was compliance only, it'slike, yes, checkbox done, uh,
and therefore you're good.
But the risk-based is focused onwhat is really going on within
your company.
But that also requires you to berelatively mature in what your
(31:08):
security program looks like.
In the beginning stages, you mayjust go with more of a
compliance-only focus becauseyou're just trying to get things
working.
But uh, and you may then migratemore towards a risk-based
approach in the future.
It just really depends on youand your organization.
The integration with DevSecOpsis an important part, as well as
cloud security and obviouslycontinuous monitoring.
All those are modern trends thatwe're seeing within the
(31:30):
framework space.
So, some core characteristics inhow this is built out.
This is organized collection ofcontrols grouped by functions,
such as identify, protect,detect, respond, and recover.
That's focused on thecybersecurity framework aspects
of this.
Now, I will tell you that thereare like the CRI has identify,
protect, detect, respond, andrecover, and then it has a
(31:50):
couple more that's added to it.
So it just depends.
They're adding a little bitmore.
A lot of it's around resiliency.
Uh, it's repeatable, it'sdesigned to be applied
consistently across differentsystems and environments.
So again, it's a it's aguidepost, it's to help you move
in that direction.
It's measurable, it provides abaseline for performance metrics
and audits.
And like we talked about before,it you want to have metrics.
(32:12):
You want to have something thatis measurable.
Without that, you you reallydon't truly know the status of
your overall security for yourorganization.
Now there's examples of securitycontrol frameworks, which would
be the NIST CSF, ISO 27001 and2, uh, Critical Infrastructure,
that's the CIS, then PCI, DSS,those are specific.
I talked about uh CRI.
(32:32):
CRI is one that is not industryspecific around the financial
industry, but it is focusedspecifically around the
financial industry, but can beused in many different formats.
It's it's a very ubiquitous typeof product that's out there.
So I highly recommend it.
I just do, I fell in love withit doing that one consulting gig
that I had.
Um, and I think it's reallyimportant for organizations to
(32:54):
use CRI, at least to look at it.
Maybe use it as a litmus againstthe CSF.
I think it's probably best.
If you're just getting started,start with CSF.
And then as you get more mature,you want to use incorporate CRI
in places where it makes sense.
Now, what it isn't, okay, it'snot a one-size-fits-all
solution.
It does require tailoring tomeet your business size, your
(33:14):
risk profile, and your specificindustry.
You have to do that, just kindof like we talked about already.
Um, it's not a security productor tool, it's a blueprint.
It's gonna help you get downthis path.
It's guideposts to help you.
It's not a software or any typeof hardware.
Now, there might be software outthere to help you manage it, but
in reality, it's not a softwarethat you can push an easy button
(33:35):
and it will work.
So it's more of a guidance and ablueprint to help you down this
path.
Uh, it's not a guarantee ofsecurity, right?
Um, it will reduce your risk,but if you do everything that's
that you can and you follow theframework and you do it
specifically to a certainconsent or a certain point, you
still can get hacked.
That is not gonna stop it fromhappening, but it will reduce
your risk substantially frombeing uh affected by an attack.
(33:59):
So again, keep that in mind.
Uh, and that's one thing youneed to set examples and set
expectations with your seniorleaders of going, hey, once we
put this in place, we are freefrom any cyber risk.
Do not say that, right?
That is not what you want themto understand or convey to them.
You want to say thisdramatically reduces our risk,
but we still have a risk outthere because it's going to cost
a lot of money and time toimplement these frameworks, a
(34:21):
lot of it and opportunity costs,but at the end of it, you're you
have to express to them that theamount of money spent and time
spent is going to reduce theiroverall risk to the
organization.
It's not a replacement for riskmanagement.
Frameworks support riskmanagement, but do not make risk
decisions for the organization.
So again, they help you guideyou and put you in a direction,
but they will not make thedecisions for you.
(34:44):
Now, when you're dealing withmapping, we're gonna kind of
talk about mapping here in justa minute.
So this aligns with multipleframeworks for compliance
efficiency.
And well, in this case here,we're gonna talk about the CSF
and we're gonna talk to HIPAA.
But in the case, you can have itgo to CSF to 27001, SOC2, CIS
controls, you name it.
You can have that set up.
But it helps avoid duplicationof effort and it helps reduce
(35:08):
because some of these can getvery large and uh onerous.
And if you have this mapping, itcan help the auditors understand
why you mapped these certaincontrols to the certain effect.
So it simplifies audits acrossmultiple standards, it improves
coverage and identifies gaps,and then it supports enterprise
res uh enterprise-wide riskmanagement strategy.
I do like the mapping piece ofthis, but again, pick the
(35:29):
appropriate map for you based onwhat you're using.
Uh so you in the case of this, Iuse HIPAA, even though they're
two different separate one thatdeals with risk and one is not
more compliance driven.
You you may have that situationcome up.
You may not be one-for-one.
So you have to decide which isbest for you and your
organization.
So, in the case of this, uh youcan see on this table, we have
(35:50):
this NIST CSF function on theleft side, and then you have the
HIPAA security rule in themiddle, and then what would be
an example of theimplementation?
Now, there's various differenttypes of mapping tools that are
out there for you.
You can find them all over.
You can find a CRI's got from uhNIST Cybersecurity Framework to
CRI, you've got uh the CSFframework to HIPAA, you've got
(36:11):
all kinds of different piecesthat are available to you.
So if you look at the table, itbasically comes around and says,
and if you guys that arelistening to that, we'll kind of
walk you through it, but ifyou're watching, you're seeing
the video, you can kind of seewhere it's at.
Uh you have your identify, whichis your, they break it down into
a format, ID, right?
So that's identify.
And then you have assetmanagement, which would be ID.am
asset management.
(36:32):
In the asset management case,the HIPAA security rule that
would map to it would be 164.310delta two and then three.
So I mean it goes down indifferent levels.
And this is basically device andmedia controls and
accountability.
And those that's what maps tothe identify and asset
management piece of this.
(36:53):
And the example would be ismaintain inventory of hardware,
software, and media storage toinclude electronic PHI.
So that is what would meet andmap to the NIST cybersecurity
framework and HIPAA.
This continue to go down in riskassessment, and they have one
for in the HIPAA for riskanalysis, and then that would be
perform periodic risk analysisto identify threats,
(37:14):
vulnerabilities to electronicPHI.
And then protect is accesscontrols, and they have access
control within HIPAA, and thatis to implement unique user IDs,
emergency access, and automaticlogoff for systems containing
electronic PHI.
So you can see that the ultimatepoint is that it will map in
CSF, it maps in HIPAA, and itgives you a function of what you
(37:36):
can do.
That being said, some of these,like in CRI, I keep going back
to it, they actually haveevidentiary aspects where you
have to have an evidence to showwhat are some things that you
would have.
So they don't just leave it upto you to figure out what is the
evidence to support you haveunique user IDs.
And then you would documentthose unique user IDs.
So again, it's cool.
(37:56):
Some keynotes to think about,takeaway from this slide, it's
not a one-to-one, right?
Mapping is conceptual.
HIPAA is prescriptive while CSFis risk-based and flexible.
So again, you you're gonna haveto, it's not one for one, but it
gives you a great guidepost onwhere you should go.
You need to tailor yourrequirements, each organization.
You've got to adjust yourcontrols based on size,
complexity, and riskenvironment.
(38:16):
It it will vary from ahealthcare to a manufacturing
facility.
There are gonna change.
Usefulness mapping does simplifycompliance efforts and reduces
redundant controls and helpsimprove the audit readiness that
you are for an internal audit oran external audit.
So mapping is it's a really avaluable tool.
It truly, truly is.
Now, due care and due diligence.
(38:37):
So, what is this?
So, acting prudently byimplementing reasonable security
measures based on known risks,reflecting on what a reasonable
person would do.
So that is what we call duecare, right?
So, due care is the reasonablecare of protecting interests of
a new organization, and it's aproactive approach to securing
your environment.
It's ensuring that you have thatin place.
You create a culture ofsecurity, it helps you do that,
(38:59):
and then ensuring that allthings are in proper order.
That's taking the care, thetime, the effort to ensure that
you're doing what you should doto help secure the organization.
So, in example around this wouldbe enforcing access controls and
employee training, uh,developing an instant response
process or business continuityplans, and then applying
patching and having a goodvulnerability assessment program
in place.
So that would be what theyconsider due care, right?
(39:22):
It demonstrates accountability,failure may lead to negligent
claims or penalties.
What does that mean?
If you don't do due care, that'sdo do, if you don't do the due
care, uh you could actually openyourself up for litigious
situations.
Honestly, any of this stuff, ifyou don't do it well, you you
could be sued.
And in today's world, youprobably will be.
So yeah, the more you can havein place, it will definitely
(39:42):
take the air out of theattacker's room, I should say
the litigious lawyer's room, uh,if you have a lot of these
different aspects in place andyou are doing them from an
accountable standpoint.
Okay, so now we're dealing withdue diligence.
So if you're dealing with duediligence, this is the
systematic researching andunderstanding risks, threats,
and vulnerabilities toorganizational assets through
(40:02):
ongoing investigation.
Means you're studying youradversary, what you're digging
deep into what they are.
So it's practicing theactivities that maintain a due
care effort.
So all the stuff you put in fora due care, you're trying to
maintain that.
Now, this requires carefulnessand reasonable care.
Now it's an approach to securityversus random or haphazard, and
it's basically you're taking aplan, you're thinking about the
(40:22):
adversary, you're thinking abouthow they might attack you, and
you're putting things in placeto mitigate that risk.
This is a must.
If you don't heed this warning,it will cost you.
That's very, very true.
You need to do your work, youneed to understand the threat,
you need to put protections inplace for it.
So, examples of this conductinga vendor background checks,
performing security audits andthreat intelligence gathering on
(40:43):
the bad guys and girls,reviewing industry benchmarks
and for risk exposure.
So if you're following, let'ssay, the framework for
manufacturing and you are afinancial institution, that
would not be due diligence.
You would be goofing up.
Now you're doing due carebecause you're following a
framework, but you're not doingthe diligence needed so that the
best framework or benchmark youwould be using would be
something in the financialindustry.
(41:05):
So again, you want to make sureyou focus on what you're
supposed to do.
Who's the adversary, who's theattacker, what is your best
practices for your industry, andare you following them?
Now, the importance of thisenables informed decision making
to maximize liability uh or tominimize liability and to
protect the organizational valuethat you have.
So, okay, that's all I have foryou today.
(41:27):
Head on over to CISSP CyberTraining and go check it out.
There's a lot of great stuffthere for you.
It's amazing.
Again, a lot of free things.
You can't beat it.
Uh you can get my rapid reviewproducts, you can get all of my
CISSP.
I have a bunch of CISSPquestions for you to get.
Lots of great free content.
If you think you need a bit moreand you need like such as my
(41:47):
10-day boot camp, you need my uhthree, four, or five month boot
camp, uh training blueprint,that's available to you.
You just you can have paidproducts that are on there for
you as well.
So go to CISSP Cyber Training,check out all the stuff that's
there, and I tell you right now,you will not be sorry if you
did.
If you're studying for theCISSP, it will help you pass the
doggone test and get on withyour cybersecurity career.
(42:10):
All right, have a wonderful day,and we will catch you all on the
flip side.
See ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes.
I would greatly appreciate yourfeedback.
Also, check out my videos thatare on YouTube, and just head to
my channel at CISSP CyberTraining, and you will find a
plethora or a conocopia ofcontent to help you pass the
(42:31):
CISSP exam the first time.
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!