November 10, 2025 • 37 mins
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
A tiny payload hidden in a legitimate-looking NuGet package can sit inside an industrial network for years, then trigger cascading failures in minutes. That chilling scenario sets the stage for a hands-on tour of CISSP Domain 1.4, where we show how to turn high-level rules into clear, defensible security controls that protect real systems and pass tough audits. We connect the dots between contracts that demand fast breach notifications, laws with sector-specific obligations, and frameworks that teach you how to structure your program.
We break down the essentials: identify the data in scope, pick a backbone framework (ISO 27001 or NIST CSF), and map each requirement to specific controls and evidence. You’ll hear practical mappings for HIPAA, GLBA, COPPA, FERPA, NYDFS, DORA, SOX, FISMA, and PCI DSS, plus how to handle extraterritorial reach under GDPR and data localization that shapes your cloud strategy. We also highlight why contractual terms often outrun statutes and how to build a requirements register so operations knows exactly what to log, how fast to notify, and which controls must exist.
Then we get tactical. Learn how to create a regulatory register, assemble audit-ready proof (policies, procedures, configs, logs, training, attestations), and run incident tabletop exercises that include vendors and clarify when the notification clock starts. For industrial environments with rare patch windows, we offer pragmatic steps: maintain a software bill of materials, verify package sources, enforce code signing where possible, document every change, and compensate with monitoring and segmentation when upgrades are risky. By the end, you’ll have a blueprint to translate compliance into resilience—fast enough for 72-hour breach clocks, strong enough to handle delayed threats, and simple enough to sustain.
Subscribe for more CISSP-ready training, share this episode with your security team, and leave a review to help others find the show. What framework are you mapping to today?
Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.
Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Welcome to the CISP Cyber Training.
CISP.
Hi, my name is Shown Gerber.
I'm your host.
I provide the information youneed.
CISP exam and roll your cyberchecker in the light.
(00:21):
All right.
SPEAKER_01 (00:25):
Good morning, everybody.
It's Sean Gerber with CISSPCyber Training and hope you all
are having a beautifully blessedday today.
Today is Monday, and we aregoing to be focused on CISSP
training that is going to bespecifically for you studying
for the CISSP exam.
And this is for domain 1.4 ofthe CISSP exam.
And so you can go to your booksif you wish and you can follow
(00:48):
along, or while you're driving,don't do that.
That would be really bad unlessyou have a Tesla.
I guess you could do it then.
But other than that, we're goingto be getting into 1.4.
But before we do, we want tobring up an article that I saw
in the news today that actuallyhas me quite concerned.
And I think you all might agreewith me on this one.
But it's quite interesting.
Um the great thing about some ofthese articles is you see what
(01:09):
goes on in today's world, uh, ithas only be gotten worse and
worse.
We we'd say I sound like an oldman now on this broken record.
Well, my people, my day, we hadit a lot easier.
Uh well, I mean, yeah, I guess ano because we didn't have all
this internet stuff.
But that being said, thisinteresting article that I saw
uh in the register as it relatesto a plant destruction time bomb
(01:31):
malware in industrial.netextensions.
Now, this was an interestingcall in the fact that now we're
getting into we knew this wascoming.
We we knew it, and we've seenlittle tidbits of it, but
there's more and more of itwhere you're going to have uh
basically malware that's pushedout to these systems that will
then trigger at a certain timeand place in the future.
(01:52):
And especially when you'redealing with critical systems
and manufacturing environments,this could be extremely bad.
Um, and and I'm really sh I sayI'm shocked, but I you wouldn't
anticipate this would besomething that a script kitty
would want to go and do unlessthey just want to try to blow
stuff up.
This is more of a nation-statethought process in my mind of
how you can go and start havingthis trigger at a certain time
(02:14):
and place when you wish for itto occur.
So, what actually are we talkingabout here?
Well, the source is that theseattackers planted malicious
NuGet.net packages in 23 to 24that include a time bomb logic
that are set up to go off at acertain time.
Now, this was discovered justrecently in the 7th of November
in 2025.
(02:35):
Now, what does this basicallymean?
Well, what's a NuGet package?
Well, if you're not realfamiliar with what a NuGet
package is, it's a standardpackaging format and
distribution that is set upwithin.NET software.
So it's it's a package that youwould set up and it
automatically runs, right?
It will have compiled assembliessuch as DLLs, it'll have your
metadata, it'll haveconfiguration and content files.
(02:56):
So it's basically a packagethat's set up to be pushed to
run by itself.
And that's what they would calla new get package.
Java, Python, all of these havedifferent types of products out
there.
Like Java will have MPM, Pythonwill be PYPL, and Maven serves
for Java.
So these are all the differenttypes of packages that are
available.
Now, this is for its focusspecifically on.NET, nothing
(03:18):
more than.NET at this point.
Nine of those contain maliciouspayloads.
And of that, there was basically10,000, these were downloaded at
least 10,000 times before theywere actually removed.
So there were 12 packages tiedup inside here.
Of those 12, nine of those hadmalicious payloads in them.
Now, the packages mostly containlegitimate and useful code,
(03:39):
i.e., hide within the in plainsight.
I mean, that's one of Sun Tzu'smajor things around the Art of
War, hide in plain sight.
So around 99% of them werebenign, according to this
article in the socket, the onesthat went through all of this.
But there was a small 20-linemalicious payload buried among
the thousands of lines of code,obviously, to be able to get
(03:59):
through.
And that was that was what kindof the purpose of it.
These packages were delayed inthe fact that they were set to
go off on around 8 August of2027 for the SQL Server and for
the SQL SQL Lite, which isaround 29th of August 2028.
Now it's basically creating avery long fuse in which these
are put in place.
Now let's kind of talk aboutwhere this is going, right?
(04:21):
So if we're in the industrialenvironment, this is one of
those situations where theseguys will update, they'll put a
patch out, which one a dub patchtakes a long time to even get
put in place.
Two, they will put those inplace and they sit forever and
they're they're there.
They don't do update thesesystems a lot.
And I think one of the mainreasons they focused on this
2027 date is because theyunderstand and realize, I mean,
(04:44):
I'm just making an assumptionhere, that it takes a long time
for this for most industrialcomplexes to put updates and
patches to these systems.
So because of that, they willthen put them out there and let
them sit for a while.
That again, in an industrialenvironment, these will sit
inside your network, justsitting there happy for a long
period of time before theyactually trigger.
(05:05):
So this is a very, very scarything.
Uh and depending upon how yourorganization deals with packages
and deals with these differentkinds of uploads, uh, it could
be uh something that you may notdeal with for years.
And in most cases, that long ofa lead time, the people that
actually install them probablywon't be with the company
anymore after that period oftime, right?
That just happens.
People roll in, people roll out.
(05:26):
So this was designed with animmediate and a delayed
behavior.
So what it was done designed,designed, geez, that basically
it included immediatelyactivating the malicious
behavior, basically ceasingafter the 6th of June, and then
a randomized short delay, 30 to90 minutes, that could rapidly
produce crashes and failures inmanufacturing.
So the point of it is that itwould cease after the 6th of
(05:48):
June 2028, but it would go inthese 30 and 90 minute
increments to basically causemassive chaos and things falling
apart in a time in a in a mannerthat would be more or less
chaotic or cascading.
That's the right word I waslooking at.
It's more it would be chaotic,but it would be more cascading.
Now, these are probability-baseduh now some of the detection and
(06:10):
response problems are going torun into with this.
Because the payloads werepublished years before
activation, the original peoplethat introduced it are probably
no longer there with thecompany, right?
We just kind of talked aboutthis a little bit.
And the most of these packages,when they're brought in, they
were considered air quotestrusted.
So it's highly likely that ifthis were to occur, and I'm sure
(06:31):
it's in other people'senvironment, and I would highly
recommend that if you have anindustrial or even like
healthcare, anything that's gota PLC type of environment, that
you go out and look at some ofthe packages that you've
installed.
Because of the simple fact thatthese will sit there and lay
dormant for so long, when theyactually do trigger, it will
cause chaos and pandemoniumbecause most people will not
(06:51):
know what to do at all.
Uh and they they won't knowwhere this is coming from and
why it came from.
So, what should you possibly do?
So I would consider looking atan incident response checklist
that does have these new getpackages included in them.
And I would actually, if youcan, I would go through and see
what packages you have updated.
If you have not kept track ofthe different updates that
(07:12):
you've done within yourorganization, um, then well,
shame on you, you should.
You should obviously throughconfiguration management, which
we've talked about in thispodcast a few times, you should
have a record of what packageshave been pushed to those in
various environments.
I would start looking at some ofthese packages just to kind of
verify that you trusted themwhere they come from.
And then from going forward, Iwould highly recommend that you
(07:35):
continue to keep these in anorganized manner and you that
you also will document them aswell.
So any type of activity, you cansee that you might very well
have a ticking time bomb sittingin your environment and you
don't even know it.
So if you haven't done it, thenstart now.
Start today creating thisconfiguration management plan
(07:55):
and have it uh set up so thatyou are actually making sure
that you have documentedresources on each of these
changes that are occurringwithin your industrial base.
And I'm gonna point fingers atmyself.
Did I do this properly when Iwas a CISO?
No, I did not.
I just downloaded them, weinstalled them.
So I can highly suspect that youdidn't do it because I didn't,
(08:16):
right?
I didn't do it.
I did it for change managementfor the enterprise, but for my
industrial systems, I was not asmethodical as I should have been
with this.
And so this was something thatmaybe you could look at where
there's an area for improvementin this space.
Again, these updates don'thappen very often within an
industrial environment.
They do not happen as frequentlyas you're dealing with your
(08:37):
enterprise.
But when they do happen, youshould have a documented record
of what has occurred, where it'soccurred, what are the packages
involved, and then what kind oftesting was done on these
packages.
So again, it's something to kindof consider.
Uh, it's again, it's through theregister, it's Cybercrimes
Plant, destructive time bomb,malware, and industrial.net
extensions.
So check it out, go read it.
(08:59):
Uh, it's it is it's a reallygood read.
All right, let's get move on towhat we're gonna talk about
today.
But before we do, I gotta put ashout out, a plug for CISSP
Cyber Training.
Head on over to CISSP CyberTraining and check it out.
We've got a lot of great contentout there at CISSP Cyber
Training to include differentpodcasts.
We have a blog, I have resourceswith other uh folks that are out
(09:21):
there.
There's also my entire CISSPtraining program.
I've got tons of free stuff inmy resources section.
If you go to my resourcessection, you will see all of
that stuff that's available toyou.
It's all there waiting for youat CISSP Cyber Training.
If you want a little bit morehands-on aspects of it, head on
over to my various content thatI have, and I've got all kinds
(09:42):
of information and contentpackages that are available for
you specifically to help youwalk you through the CISSP
question exam.
I got over 50 hours of video.
I've got 1,500 plus questions.
There's thousands that have gonethrough my programs, and you I
guarantee you you will beextremely excited about seeing
this.
There's a lot of great contentout there and available to you
(10:04):
at the CISSP exam, or CISSPcyber training, I should say.
Okay, let's get into what we'regonna talk about today.
Okay, this is domain one of 1.4compliance and other
requirements.
So, what are we gonna get intotoday?
All right, so just a keyoverview around what we're gonna
begin talking about.
So, you as a CISSP, you as acybersecurity professional, must
(10:26):
be able to identify what rulesapply, translate them into
security requirements, anddemonstrate that you've done due
care and due diligence on these.
And then we're gonna get intosome various regulations and
contractual aspects that you'regonna have to be aware of.
So, failure to meet these legalrequirements will create
organizational risk, fines, lossof license, lawsuits, all kinds
(10:46):
of aspects.
And then if you are the CIS orthe CISO, you have the personal
risk of some sectors of having aliability associated with it.
So there's a lot of really greatstuff that's out there that you
need to be aware of.
So if you're gonna kind of putthis together in a map, this
lawslash regulation requiresthis type of protection, which
(11:07):
is proved by this control typeevidence.
So that's the point, is that youhave to translate that this law,
this we're gonna get into someof these laws in a minute, is
gonna require this type ofprotection in the fact that
maybe you have to haveencryption.
And how would you then provethat you have encryption?
This would be done through acontrol or evidence factor in
which you would provide that.
So you're gonna have to provethat this is in place.
(11:30):
And the the ultimate point ofall of this is that if for you
as a CISSP and as acybersecurity professional,
you're gonna have to understandthese governance aspects to
ensure that you're providing thebest protection for your company
as well as the best protectionfor you.
Because, like we mentioned, uhyou could become liable as well.
So let's get into some differentitems to consider.
(11:51):
You have contractualrequirements.
These are obligations fromcustomers, suppliers, cloud
providers, or partners that areset up that you must follow and
be maintaining.
And these are often muchstricter than a law that's in
place.
And these contractualrequirements are set up so that
you maintain their service levelagreements that they may have in
(12:11):
place.
There's also legal requirements.
You may have national, federal,or state laws that are mandatory
that you must follow.
HIPAA for privacy, right?
You've got GL Gram Leach BlileyAct, you got that for the
financial aspects, you got COPA.
These are all various laws thatyou must follow and maintain.
If you're in New York, if yourbusiness runs out of New York,
you'll have NYDFS.
(12:32):
These are all things that youmust maintain for your
organization.
Regulatory requirements.
These are issued by regulatorsor supervisory authorities.
They're often sector specific,such as I just mentioned NYDFS,
NYCCR500, DORA that's in the EU.
Those are all various sectorsthat are specific.
I've dealt with the Coast Guard,had specific requirements based
(12:54):
on our manufacturing andindustrial environment within
the Gulf Coast of the UnitedStates.
So all of these have differenttypes of requirements that are
put on you and your company.
There's industry industrystandards and frameworks.
These are not always air quoteslaws, but they are widely
adopted and sometimes referencedin contracts.
ISO 27001, PCDS, PCI DSS,Cybersecurity Framework from
(13:17):
NIST, all of these standards andframeworks are required, or not
required, they're referred to inmany ways in these contracts,
saying that you must follow andmeet the ISO 27001 plan and so
forth.
Therefore, that's how it's kindof brought up.
You have privacy and dataprotection rules.
These are govern the collection,processing, and storage, and
transfer and access of anypersonal data.
(13:40):
So you have privacy and datarules that you must follow, and
depending upon the company thatyou're with or the corporations
that you're engaging with, theymay have specific privacy and
data protection rules that youmust follow if you're going to
be doing business with them.
It's an important part for youas a cybersecurity professional,
as you as a CISSP, to make surethat you understand what these
(14:01):
are and that you read thedocumentation associated with
it.
I've read a lot of contracts anda lot of different agreements
between organizations, and it'simportant for you to then pull
out what is relevant for thecompany to protect you and your
business interests.
International jurisdictionalissues.
Data in one country may besubject to another country's
(14:23):
laws.
And so this is where theextraterritorial reach is
coming.
So in the case of you, maybe youhave a situation where you're in
the EU and one of the data inthe EU needs to stay there.
But can it leave the EU?
Well, if it does, then is itstill under the jurisdictional
aspects of the EU?
Potentially it is.
(14:43):
So you need to be aware of allof these connections, this
connective tissue you need to beconniving conniving, you need to
be connecting with.
(15:04):
So if you're dealing withprivacy versus security, just
keep this little point in mind.
Security protects data.
Privacy governs the rightsaround the data.
So you need to recognize when toinvolve the legal and compliance
teams on any of these aspectsthat you're doing.
It's so important that legal andcompliance are involved in
pretty much all the decisionsyou make related to these types
(15:26):
of activities.
I cannot stress this enough,legal and compliance.
And I know if you've beenlistening to this podcast for
any period of time, you knowthat those two are an important
part of any organization.
You must be able to produce orsupport audit evidence, and this
kind of talks about our firstslide we went over, is the fact
that there needs to be somelevel of evidence if you to
(15:47):
prove the controls that you havein place.
And these need to be able to beprovided to the auditors to
ensure that you are actuallydoing what you say you're doing.
So you may say, yes, we have inplace, we do a monthly look at
all the firewall logs and checkall of the access controls on
each and every one of them.
(16:07):
But if you don't actually dothat and you don't have the
evidence to support it, such asthe meeting minutes where you
talk about it, maybe uh a log ofevery time you go hit the
firewalls, then you may not besufficient for the auditors
depending upon whichorganization you are with.
So contractual requirements,some different sources to
consider.
The master service agreementsare which is your MSAs, you have
(16:30):
your service or your servicelevel agreements, which is your
SLAs, and you have your DPAs,which is your data processing
agreements, your BAAs, which isyour business associate
agreements, this is specificallyunder HIPAA, you have a cloud
agreement, supply chain andsecurity addendums, etc.
etc.
So all of these are differenttypes of agreements you may be
subject to or be interested inviewing.
(16:54):
So what they typically require.
Well, they typically willrequire some minimum security
control that you have in place,such as encryption, logging,
access controls, maybe incidentresponse time, how fast you
respond to a situation.
And they also may have anotification timeline for
breaches.
So you notify within 24 to 48hours, often much faster than
(17:15):
what the actual law states.
You you're you're gonna have tobe quick on this.
Now I will say when it's 24 to48 hours, you need to really
define what notification of abreach mean.
When is that?
It's an important part you needto work out with your legal
team.
And we've talked about this onthis prop podcast in this
training for quite some time.
That just because you have anincident that's in your
(17:36):
environment does not necessarilymean it's a air quotes breach.
You have the right to audit andthe security assessment.
They may want to come in andtake a security assessment of
you or do an audit of you.
They need to also know wheretheir data location and data
ownership clauses are at as itrelates to the data that they
provide to you.
But you on the flip side, ifyou're providing your data to
them, you need to have some wayin which you're providing that
(17:58):
information to them as well.
So they need to be asubprocessor or third-party
approval, and all of that can betypically required by these
various third-partyorganizations.
Now, some considerations for youto consider is that contractual
obligations can be stricter thanlaw and must be implemented and
monitored.
And it's very important forthat.
Because again, depending on thecontract you have, you might be
(18:19):
legally liable to that, and theywill take you to court, and then
it gets to be really, reallyexpensive.
Plus, on top of that, then thelegal laws will probably start
wanting to dig in and thenthey'll want to spend more time
with you, which will cause youmore legal expense and it'll get
more and more expensive.
Noncompliance, this is a breachof contract.
This is related to damages andloss of a customer.
(18:39):
This you don't want to havenon-compliance, obviously.
You want to make sure that youare there in your contract and
you are following through as youare expecting.
You must track theserequirements in a requirements
register so that operations andthe security operations teams
know what to log and what toreport.
So you like a risk register, youwill have, you want to have if
there's tied to yourrequirements that you have
within your company, you maywant to put that in your risk
(19:01):
register as well because it'sconsidered as a risk to you and
your organization.
So again, these are highconsiderations you need to be
aware of.
Contractual obligations can bestricter than law.
Noncompliance can be breach ofcontract, and you must track
these and keep these in a placeso that your security operations
teams and your securityprofessionals know what to log
(19:21):
and what to report.
Now, legal requirement,regulatory, industrial
standards, these are some coreconcepts for you to kind of
consider.
Due care versus due diligence.
Now we've mentioned this in theCISSP training a few times.
Due diligence is when you'reinvestigating, assessing risk,
or selecting proper controls.
That's when you're taking thetime to look into all of these
(19:42):
aspects.
Due care is when you're actuallyimplementing and operating those
controls.
That's when you're taking thetime and effort to make sure
that those controls that are inplace are the ones that are
specifically set up for you.
The regulators will look at bothof those.
So they'll make sure that youdid the diligence, but then then
they're gonna come around realquick and make sure that you
have implemented the controls asexpected.
(20:03):
You have evidence of compliance.
This is where you're gonna dealwith policies and procedures.
You're gonna make sure that youhave those in place.
I'm actually doing this rightnow for our contract, uh, making
the policies.
We got the policies in place.
I'm now working on proceduresspecifically for that
organization.
You're gonna have trainingrecords for that your people
have been trained on what'sactually going on.
You have technicalconfigurations such as
(20:23):
screenshots and exports, andthen you'll have logs and audit
trails associated with it aswell.
And then you'll have third-partyattestations such as your SOC 2
compliance or PCI ROC or variousISO certs.
And the point of those is thatas you you want to go in many
organizations, they'll want tomigrate to that third-party
attestation.
Um, and that's where you haveall the policies and procedures
(20:45):
in place, you have your trainingrecords in place, you have a
person designed to specificallydo that, they're they're all the
logs are getting kept, they'reall being passed on to a
security operations center, andthen these third parties will
come in and assess you and makesure that you actually are doing
what you say you're doing.
The extraterritorial, this iswhere some applies because of
where your data subject is.
So, for example, GDPR or COPA,it's where you offer services,
(21:09):
not because of where yourservices are.
Uh, that it's a good example ofthat with a GDPR, is if you're
offering services that are inthe EU, you're gonna have your
data will reside within the EU.
And so you just keep that inmind.
Um, that's just various piecesthat you must be aware of and
you must be okay with.
Data retention and e-discovery,some laws require keeping data
(21:30):
for a defined period, othersrequire deleting it after a
period of time.
You must know the legal holdsand override the normal deletion
cycles.
You must understand that.
You must know that when you'reputting something on a legal
hold, that will not delete, youmust not let it get deleted.
Uh, therefore, as a securityprofessional, it's going to be
up to you.
If you are the main person, whensomeone says, hey, I'm putting
everything the legal guy becauseit says we're putting it all on
(21:52):
legal hold.
Okay, cool.
But your deletion policy statesthat after one year all the data
is deleted.
You may have to be the person togo, whoa, whoa, whoa.
Yeah, anything but legal hold.
So put that in a separate placewithin your company so that it
is not deleted.
Uh, that's some training thatyou can come up with that can
actually be very helpful for anorganization.
So, some key privacy and sectorlaws that you should be aware
(22:15):
of.
You obviously HIPAA.
So, we're gonna go through abunch of laundry lists of these
and some key points in each ofthem.
HIPAA is your health insuranceportability and accountability
act.
Uh, this applies to coveredentities and their providers and
the plans and also the businessbusiness associates that go
along with it.
You have a security rule, whichis administrative, physical,
technical.
You have a privacy rule, whichgoverns PHI use and disclosure.
(22:38):
So you need to get connected tothat.
You can see these slides atCISSP Cyber Training.
They're all going to be thereand available for you.
You'll also be able to see it onthe blog.
Uh, there's breach notificationrule.
This is where you havetimelines, content, and
sometimes media and your healthand human services notices.
And you should be aware of allof this.
As far as that, you need tounderstand how do you protect
PHI.
And this could be through accesscontrols, encryption, audit
(23:00):
logs, all of that must be inplace to ensure that you're
meeting the HIPAA guidelines.
You have GLBA, which is yourGraham Leach Blyley Act.
This is for U.S.
financial institutions.
And it applies to financialinstitutions and some non-bank
financial services.
Now there's a safeguards rule.
This is where you develop andimplement and maintain written
(23:20):
information security program.
And we talk about this a lot.
If you're following any of theseother frameworks, you're going
to have an information securityprogram already well defined.
There's then a privacy rule,which is notices to consumers,
opt-outs in some cases, and youneed to focus on risk
assessments, vendor management,encryption, monitoring, change
management, and the trainingthat goes along with it.
That's what the GLBA focuses on.
(23:42):
Again, financial institutionsand non and some non-bank
financial services.
COPA, this is your Children'sOnline Privacy Protection Act.
This applies to any onlineservices directed to children
under the age of 13 that areknowingly, air quotes,
collecting data from them.
So now in the CIS's peace cybertraining, do I have to follow
(24:03):
COPA?
Well, I'm not actively goingafter anybody under the age of
13 unless you're really smartand you've been doing this since
you were like five.
So that I'm not the kind ofperson that would go after would
be really necessarily targetedagainst COPA.
However, Bluey and all thoseother types of products out
there for children that may betrying to regulate, you know, go
after the parents, go after thekids, they definitely fall under
the COPA issues, right?
(24:25):
So verifiable parental consent,clear notices, and data
minimization, all of that piecesneed to be maintained.
So data classification, childversus non-child data, consent
tracking, limited sharing,secure storage, all of those
pieces fall under the COPAPrivacy or Protection Act.
FERPA, Family Educational Rightsand Privacy Act.
(24:47):
So this applies to educationalinstitutions receiving US of
Department education funds.
Now this is an educationrecords, rights and parents of
students.
So basically, when it comes downto is anything that deals your
education, the rights of theparents and the students, any
const communications back andforth, that falls under FERPA.
So again, access controls,disclosure logging, directory
(25:10):
information, PII.
Again, you'll see there's a lotof consistencies between all of
these.
But you need to main understandfor the CISSP exam, the
understanding of what is aFERPA, what is COPA, what is the
Patriot Act?
That's the next one.
How does it work?
So the Patriot Act was designedspecifically around surveillance
and disclosure authority.
It enables the government torequest certain data from
(25:31):
national security andinvestigations.
And you need to understand whatis, and I don't actually even
know at this point.
I think the Patriot's beenrenewed a couple times.
I don't know if it's actuallybeen renewed as of late, uh, but
I will tell you that you theywill potentially ask you
questions on the CISSP becauseit's based in 2024 and it was
still a factor in 2024.
(25:51):
So it's it's highly, I shouldsay it's highly likely, it is
possible that they may ask youspecifically around the Patriot
Act and its use within yourorganization.
NYDFS, this is a cybersecurityrelation that was brought up by
the New York Department ofFinancial Services.
I had to deal with this a fewtimes with a different
companies.
And this is basically you musthave a cybersecurity program,
(26:14):
you must have a CISO, you musthave risk assessments,
multi-factor, audit trails,72-hour incident nota reporting,
all those fun things.
You must have that in place foryou to be operating as an
organization within the NewYork, um, the state of New York,
and that anything anything thatdeals in the financial services
aspects.
So this is a prescriptive rule,and you must show the controls
(26:37):
actually exist and are tested.
They do not allow you to say,oh, you fill out the form.
Okay, you're good, no problem.
You will actually have to showthat these things are in place
and then auditors will come inand look at you.
DORA is the Digital OperationalResilience Act.
This is for the EU and theirfinancial sector aspects.
Uh the EU financial entities andcritical third parties, this is
(26:57):
folks that are in DORA.
This you are focused onresilience, risk management,
incident reporting, testing,third-party risk as well.
Again, I'm talking about these,but if you consider most all of
these areas, they deal with allthese aspects.
Resilience, risk management, youname it.
Uh, we have additional stateprivacy laws.
Obviously, you have CCPA, CPRA,you have Virginia, you have
(27:21):
Colorado, all these differentstates have their own types of
um things.
You know, some consumer rights,you have uh privacy for dead
threatened country states thatyou're working in.
I would say one thing toconsider as a security
professional, if you are gonnabe focused on the rights or
privacy rights within yourcompany, focus on the most
restrictive ones.
So California, Maine,Massachusetts.
(27:44):
Those are some of the morerestrictive privacy rules.
If you focus on what theyrequire, and then you put that
same requirement into yourcompany, you're in a good
position that you're gonna berelatively safe from any sort of
uh potential issues.
So just kind of keep that inyour back pocket.
Some additional acts or uhaspects that you need to be
(28:04):
aware of.
Socks, Sarbanes Oxley.
This is for public companies,and this is basically integrity
of financial reporting, requiresthat internal controls over
financial systems.
Again, same kind of concept.
You make sure you have thecontrols in place.
Their change, their focus ischange management, access
controls, logging, andsegregation of duties.
FISMA, FedRAMP, this is thefederal aspects of it.
(28:26):
FISMA is a federal systems, mustuse NIST or RMF.
That's a risk managementframework, uh, categorized under
FIPS 199.
FedRAMP is focused on cloudservices for U.S.
government and must meet 853baselines, your cybersecurity
framework aspects, and they mustbe authorized.
Again, control baselines,continuous monitoring, and
various aspects need to beconsidered when you're dealing
(28:47):
with FISMA and FedRAMP.
CFAA, this is your computercrimes laws.
This is unauthorized access,exceeding authorized access and
fraud.
Your focus on this should beadministrative and security
tools and where it's usedlawfully, and then it'll define
your overall acceptable use.
So wiretap laws, you need to beaware that there are wiretap
(29:08):
laws in place, especially in theUnited States, and that
depending upon the state inwhich you reside, but in the
United States, just one personhas to be able to say consent to
recording.
So in the case of you're talkingto somebody on the phone and you
say, Well, I consent, I'm nottelling that person I consent,
but I consent, you can actuallyrecord the conversation of
what's going on.
So you need to be aware of thatwiretap laws still exist and are
(29:32):
they're a bit dated and they'renot keeping up with the times,
but they are out there andthey're on the books.
Industry stand industrialindustrial industry, I can't
even say industry standards, mygoodness almighty.
Uh so these are quasiregulatory.
What I mean by that is that youwill people will talk about
them, but they don't typicallysay they're they're required.
(29:54):
PCI DSS, again, this iscontractual but enforced like
regulations by the card brandsand acquires.
So your visa and all theMasterCards and all those, they
will require you to meet theirair quotes guidance.
But it is not regulatory.
But if you want to work withthem, you got to follow it.
And if you don't follow it, youdon't work with them, which
basically is pretty regulatorystandpoint.
(30:16):
This is where it's networksegmentation, secure coding,
vulnerability management, all ofthose pieces are a big part of
PCI DSS.
ISO 270001 and 2.
This is a management systemsapproach, often requires in
contracts or by globalcustomers.
It's a risk-based selection ofcontrols and it's designed with
uh separation of duties andinternal audits.
(30:37):
And then your NIST CSF, yourcybersecurity frameworks, and
the 800 series that are in that.
This is often referenced by U.S.
regulators, NYDFS, SEC as well,and it may become as the
expected baseline.
It might be something that youhave to follow, whether or not
you actually are following it atyour company.
(30:58):
So you might be following an ISOstandard.
Say, for example, you're doingISO 27001, but the US government
or NYDFS is requiring you to douh one of the 853 series, you're
gonna have to map from ISO 27001to the NIST 853.
So again, you'll have to just dosome mapping back and forth.
There's legal requirements.
(31:19):
Uh the NIST obviously identify,protect, detect, respond, and
recover.
Those are the key functionsaround NIST.
If you look at a lot of thedifferent frameworks, they have
a very similar kind of flavor tothem.
Uh, they may not be quite thesame, but they're pretty close.
So again, keep that in mind.
You're gonna have to follow alot of those.
You may have to deal with themmore.
They may become more of aregulatory requirement, even
(31:40):
though they are not arequirement under any sort of
regulation out there.
They just may be highlysuggested that you do them.
So, how to translate these intosecurity requirements?
So, identify the data plus thesystem and scope.
So, keep this in mind.
So, we're just gonna walkthrough these are some little
things for you to kind ofconsider.
PHI, this is a HIPAA standard.
(32:01):
Customer MPI, this is a GLBstandard.
Cardholder data is PCI DSS.
Student records would be FERPA.
EU personal data would be GDPRor DORA if it's financial.
So the point of it is that keepin mind PHI, if you hear that,
it's HIPAA.
Customer MPI, that would beGLBA.
(32:22):
Cardholder data, PCI.
Student records, FERPA.
EU, GDPR, DORA.
Those are some things necessaryif you're trying to figure out
map between the two.
Now, obligations to controls,mapping these, connecting these
two.
Access controls, RBAC, MFA,NYDFS, HIPAA, GLBA, PCI.
So again, they want accesscontrols.
(32:43):
Logging and auditor trails,NYDFS, SOX, and PACI.
Again, you can see these are allkind of stacking on each other.
Incident breach notification,HIPAA, NYDFS, GDPR, and various
contracts.
And again, the timeline will be72 hours for the big ones, NYDFS
and GDPR, and then it'spotentially up to as short as 24
(33:05):
hours, depending on thesituation with your contracts.
Third party management, you gotGOBA, DORA, NYDFS, HIPAA.
So all of those are third partyaspects.
And then training awareness, youhave almost all frameworks deal
with training and awareness ofsome form or another.
So obligations, so kind of mapthis in your head, which ones
they are.
Access controls, logging andmonitoring, incident breach
(33:27):
notification, third partymanagement, all of those you
should be able to map to whichis the appropriate act that
might be involved.
Document and policy andstandards.
So you now can show the auditorswe know what applies and where
and how to meet it.
This is where you document this.
You want to make sure that youshow them that these auditors
you understand all of theseaspects.
And then you need to maintain aregulatory register.
(33:50):
So some sort of register saying,hey, law X, this is how it's
mapped to the various controlsthat I have in place.
Law Y, this is how it's mappedto the various controls I have
in place.
Now, if you do this well and youhave already kind of put a good
program in place, it's supereasy because there's plenty of
programs out there that willhelp you map this to it.
So pick a framework.
(34:11):
Whether it's ISO 27001 or it'sthe NIST Cybersecurity Framework
or something else, pick onespecific framework and follow
it.
You then can map, you can oncethis is all done, you can then
map back to what are thecontrols you have in place to
meet these various auditrequirements.
So again, it's an importantpart.
Pick one and follow one.
(34:32):
Okay.
I hope I made that crystalclear.
So what for you should you watchout for as a security
professional?
One, if the the conflictingrequirements.
One law will say retain, theother will say delete.
This is where you need to bringit up to legal and have them
help define the precedencearound this.
Once you guys define what thatis for you and your
organization, you say, okay, weare going to retain.
(34:56):
Period.
Dot.
It says delete, but we'reretaining, and this is the
arguments of why we see thisway.
Now, if a regulator comes in andsays, Well, that's wrong, at
least you've had legal counsel,you've talked about it, you've
thought about it, you've plannedit.
This is why you've done versusyou just going, eh, we're just
going to keep it.
You can't do that.
You got to bring other peopleinto this conversation.
Data localization andcross-border transfers.
(35:17):
Some regimes and some areas likethe EU and APAC, they do limit
data transfers between these.
And this will affect youroverall cloud strategy.
And you need to be aware of howyou're planning on doing that.
Your breach definitions willdiffer.
HIPAA versus state privacyversus contract.
Always design incident responseto meet the most stringent, like
we talked about just a littlebit earlier.
(35:39):
If you focus on the California,Maine, Massachusetts areas, you
are in a much better positionthan if you focus on, I'm gonna
say Kansas, because Kansasprobably isn't nearly as strict
as some of those.
Third party and supply chain,Dora, NYDFS, these all emphasis
on third party risks.
You must include vendors in yourrisk assessments and in your
incident response testing.
(36:00):
So you need to keep those inmind as well.
So these are all important partsas we're dealing around the
contractual aspects and thegovernmental aspects of the
CISSP and of your cybersecurityprogram within your company.
So again, keep those pieces inmind related to all of that.
All right, that's all I have foryou today.
Hope you got a lot out of thisgreat information.
(36:22):
Head on over to CISSP CyberTraining and catch out what
we've got.
Got a lot of great free content,but check out my paid products.
They are there and available foryou.
If you need a step-by-stepconcierge approach to studying
for the CISSP, it's the onething I struggled with was the
fact that I didn't have anybodyto teach me and train me on what
I needed to know for the CISSP.
That is what the CISSP CyberTraining is there for.
(36:43):
It's to help walk you through itstep by step by step.
Those paid programs are therewith the blueprints, with the
calls, with the conversationswith myself, with all of those
pieces are all available to youand they're all in a paid format
that allows you to get ready forthe CISSP in a way that'll help
you pass it the first time.
All right, thank you so much,and we will catch you all on the
(37:04):
flip side.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining, and you will find a
plethora or a conocopia ofcontent to help you pass the
CISSP exam the first time.
(37:25):
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CISP Cyber Training.
CISP.
Hi, my name is Shown Gerber.
I'm your host.
I provide the information youneed.
CISP exam and roll your cyberchecker in the light.
(00:21):
All right.
SPEAKER_01 (00:25):
Good morning, everybody.
It's Sean Gerber with CISSPCyber Training and hope you all
are having a beautifully blessedday today.
Today is Monday, and we aregoing to be focused on CISSP
training that is going to bespecifically for you studying
for the CISSP exam.
And this is for domain 1.4 ofthe CISSP exam.
And so you can go to your booksif you wish and you can follow
(00:48):
along, or while you're driving,don't do that.
That would be really bad unlessyou have a Tesla.
I guess you could do it then.
But other than that, we're goingto be getting into 1.4.
But before we do, we want tobring up an article that I saw
in the news today that actuallyhas me quite concerned.
And I think you all might agreewith me on this one.
But it's quite interesting.
Um the great thing about some ofthese articles is you see what
(01:09):
goes on in today's world, uh, ithas only be gotten worse and
worse.
We we'd say I sound like an oldman now on this broken record.
Well, my people, my day, we hadit a lot easier.
Uh well, I mean, yeah, I guess ano because we didn't have all
this internet stuff.
But that being said, thisinteresting article that I saw
uh in the register as it relatesto a plant destruction time bomb
(01:31):
malware in industrial.netextensions.
Now, this was an interestingcall in the fact that now we're
getting into we knew this wascoming.
We we knew it, and we've seenlittle tidbits of it, but
there's more and more of itwhere you're going to have uh
basically malware that's pushedout to these systems that will
then trigger at a certain timeand place in the future.
(01:52):
And especially when you'redealing with critical systems
and manufacturing environments,this could be extremely bad.
Um, and and I'm really sh I sayI'm shocked, but I you wouldn't
anticipate this would besomething that a script kitty
would want to go and do unlessthey just want to try to blow
stuff up.
This is more of a nation-statethought process in my mind of
how you can go and start havingthis trigger at a certain time
(02:14):
and place when you wish for itto occur.
So, what actually are we talkingabout here?
Well, the source is that theseattackers planted malicious
NuGet.net packages in 23 to 24that include a time bomb logic
that are set up to go off at acertain time.
Now, this was discovered justrecently in the 7th of November
in 2025.
(02:35):
Now, what does this basicallymean?
Well, what's a NuGet package?
Well, if you're not realfamiliar with what a NuGet
package is, it's a standardpackaging format and
distribution that is set upwithin.NET software.
So it's it's a package that youwould set up and it
automatically runs, right?
It will have compiled assembliessuch as DLLs, it'll have your
metadata, it'll haveconfiguration and content files.
(02:56):
So it's basically a packagethat's set up to be pushed to
run by itself.
And that's what they would calla new get package.
Java, Python, all of these havedifferent types of products out
there.
Like Java will have MPM, Pythonwill be PYPL, and Maven serves
for Java.
So these are all the differenttypes of packages that are
available.
Now, this is for its focusspecifically on.NET, nothing
(03:18):
more than.NET at this point.
Nine of those contain maliciouspayloads.
And of that, there was basically10,000, these were downloaded at
least 10,000 times before theywere actually removed.
So there were 12 packages tiedup inside here.
Of those 12, nine of those hadmalicious payloads in them.
Now, the packages mostly containlegitimate and useful code,
(03:39):
i.e., hide within the in plainsight.
I mean, that's one of Sun Tzu'smajor things around the Art of
War, hide in plain sight.
So around 99% of them werebenign, according to this
article in the socket, the onesthat went through all of this.
But there was a small 20-linemalicious payload buried among
the thousands of lines of code,obviously, to be able to get
(03:59):
through.
And that was that was what kindof the purpose of it.
These packages were delayed inthe fact that they were set to
go off on around 8 August of2027 for the SQL Server and for
the SQL SQL Lite, which isaround 29th of August 2028.
Now it's basically creating avery long fuse in which these
are put in place.
Now let's kind of talk aboutwhere this is going, right?
(04:21):
So if we're in the industrialenvironment, this is one of
those situations where theseguys will update, they'll put a
patch out, which one a dub patchtakes a long time to even get
put in place.
Two, they will put those inplace and they sit forever and
they're they're there.
They don't do update thesesystems a lot.
And I think one of the mainreasons they focused on this
2027 date is because theyunderstand and realize, I mean,
(04:44):
I'm just making an assumptionhere, that it takes a long time
for this for most industrialcomplexes to put updates and
patches to these systems.
So because of that, they willthen put them out there and let
them sit for a while.
That again, in an industrialenvironment, these will sit
inside your network, justsitting there happy for a long
period of time before theyactually trigger.
(05:05):
So this is a very, very scarything.
Uh and depending upon how yourorganization deals with packages
and deals with these differentkinds of uploads, uh, it could
be uh something that you may notdeal with for years.
And in most cases, that long ofa lead time, the people that
actually install them probablywon't be with the company
anymore after that period oftime, right?
That just happens.
People roll in, people roll out.
(05:26):
So this was designed with animmediate and a delayed
behavior.
So what it was done designed,designed, geez, that basically
it included immediatelyactivating the malicious
behavior, basically ceasingafter the 6th of June, and then
a randomized short delay, 30 to90 minutes, that could rapidly
produce crashes and failures inmanufacturing.
So the point of it is that itwould cease after the 6th of
(05:48):
June 2028, but it would go inthese 30 and 90 minute
increments to basically causemassive chaos and things falling
apart in a time in a in a mannerthat would be more or less
chaotic or cascading.
That's the right word I waslooking at.
It's more it would be chaotic,but it would be more cascading.
Now, these are probability-baseduh now some of the detection and
(06:10):
response problems are going torun into with this.
Because the payloads werepublished years before
activation, the original peoplethat introduced it are probably
no longer there with thecompany, right?
We just kind of talked aboutthis a little bit.
And the most of these packages,when they're brought in, they
were considered air quotestrusted.
So it's highly likely that ifthis were to occur, and I'm sure
(06:31):
it's in other people'senvironment, and I would highly
recommend that if you have anindustrial or even like
healthcare, anything that's gota PLC type of environment, that
you go out and look at some ofthe packages that you've
installed.
Because of the simple fact thatthese will sit there and lay
dormant for so long, when theyactually do trigger, it will
cause chaos and pandemoniumbecause most people will not
(06:51):
know what to do at all.
Uh and they they won't knowwhere this is coming from and
why it came from.
So, what should you possibly do?
So I would consider looking atan incident response checklist
that does have these new getpackages included in them.
And I would actually, if youcan, I would go through and see
what packages you have updated.
If you have not kept track ofthe different updates that
(07:12):
you've done within yourorganization, um, then well,
shame on you, you should.
You should obviously throughconfiguration management, which
we've talked about in thispodcast a few times, you should
have a record of what packageshave been pushed to those in
various environments.
I would start looking at some ofthese packages just to kind of
verify that you trusted themwhere they come from.
And then from going forward, Iwould highly recommend that you
(07:35):
continue to keep these in anorganized manner and you that
you also will document them aswell.
So any type of activity, you cansee that you might very well
have a ticking time bomb sittingin your environment and you
don't even know it.
So if you haven't done it, thenstart now.
Start today creating thisconfiguration management plan
(07:55):
and have it uh set up so thatyou are actually making sure
that you have documentedresources on each of these
changes that are occurringwithin your industrial base.
And I'm gonna point fingers atmyself.
Did I do this properly when Iwas a CISO?
No, I did not.
I just downloaded them, weinstalled them.
So I can highly suspect that youdidn't do it because I didn't,
(08:16):
right?
I didn't do it.
I did it for change managementfor the enterprise, but for my
industrial systems, I was not asmethodical as I should have been
with this.
And so this was something thatmaybe you could look at where
there's an area for improvementin this space.
Again, these updates don'thappen very often within an
industrial environment.
They do not happen as frequentlyas you're dealing with your
(08:37):
enterprise.
But when they do happen, youshould have a documented record
of what has occurred, where it'soccurred, what are the packages
involved, and then what kind oftesting was done on these
packages.
So again, it's something to kindof consider.
Uh, it's again, it's through theregister, it's Cybercrimes
Plant, destructive time bomb,malware, and industrial.net
extensions.
So check it out, go read it.
(08:59):
Uh, it's it is it's a reallygood read.
All right, let's get move on towhat we're gonna talk about
today.
But before we do, I gotta put ashout out, a plug for CISSP
Cyber Training.
Head on over to CISSP CyberTraining and check it out.
We've got a lot of great contentout there at CISSP Cyber
Training to include differentpodcasts.
We have a blog, I have resourceswith other uh folks that are out
(09:21):
there.
There's also my entire CISSPtraining program.
I've got tons of free stuff inmy resources section.
If you go to my resourcessection, you will see all of
that stuff that's available toyou.
It's all there waiting for youat CISSP Cyber Training.
If you want a little bit morehands-on aspects of it, head on
over to my various content thatI have, and I've got all kinds
(09:42):
of information and contentpackages that are available for
you specifically to help youwalk you through the CISSP
question exam.
I got over 50 hours of video.
I've got 1,500 plus questions.
There's thousands that have gonethrough my programs, and you I
guarantee you you will beextremely excited about seeing
this.
There's a lot of great contentout there and available to you
(10:04):
at the CISSP exam, or CISSPcyber training, I should say.
Okay, let's get into what we'regonna talk about today.
Okay, this is domain one of 1.4compliance and other
requirements.
So, what are we gonna get intotoday?
All right, so just a keyoverview around what we're gonna
begin talking about.
So, you as a CISSP, you as acybersecurity professional, must
(10:26):
be able to identify what rulesapply, translate them into
security requirements, anddemonstrate that you've done due
care and due diligence on these.
And then we're gonna get intosome various regulations and
contractual aspects that you'regonna have to be aware of.
So, failure to meet these legalrequirements will create
organizational risk, fines, lossof license, lawsuits, all kinds
(10:46):
of aspects.
And then if you are the CIS orthe CISO, you have the personal
risk of some sectors of having aliability associated with it.
So there's a lot of really greatstuff that's out there that you
need to be aware of.
So if you're gonna kind of putthis together in a map, this
lawslash regulation requiresthis type of protection, which
(11:07):
is proved by this control typeevidence.
So that's the point, is that youhave to translate that this law,
this we're gonna get into someof these laws in a minute, is
gonna require this type ofprotection in the fact that
maybe you have to haveencryption.
And how would you then provethat you have encryption?
This would be done through acontrol or evidence factor in
which you would provide that.
So you're gonna have to provethat this is in place.
(11:30):
And the the ultimate point ofall of this is that if for you
as a CISSP and as acybersecurity professional,
you're gonna have to understandthese governance aspects to
ensure that you're providing thebest protection for your company
as well as the best protectionfor you.
Because, like we mentioned, uhyou could become liable as well.
So let's get into some differentitems to consider.
(11:51):
You have contractualrequirements.
These are obligations fromcustomers, suppliers, cloud
providers, or partners that areset up that you must follow and
be maintaining.
And these are often muchstricter than a law that's in
place.
And these contractualrequirements are set up so that
you maintain their service levelagreements that they may have in
(12:11):
place.
There's also legal requirements.
You may have national, federal,or state laws that are mandatory
that you must follow.
HIPAA for privacy, right?
You've got GL Gram Leach BlileyAct, you got that for the
financial aspects, you got COPA.
These are all various laws thatyou must follow and maintain.
If you're in New York, if yourbusiness runs out of New York,
you'll have NYDFS.
(12:32):
These are all things that youmust maintain for your
organization.
Regulatory requirements.
These are issued by regulatorsor supervisory authorities.
They're often sector specific,such as I just mentioned NYDFS,
NYCCR500, DORA that's in the EU.
Those are all various sectorsthat are specific.
I've dealt with the Coast Guard,had specific requirements based
(12:54):
on our manufacturing andindustrial environment within
the Gulf Coast of the UnitedStates.
So all of these have differenttypes of requirements that are
put on you and your company.
There's industry industrystandards and frameworks.
These are not always air quoteslaws, but they are widely
adopted and sometimes referencedin contracts.
ISO 27001, PCDS, PCI DSS,Cybersecurity Framework from
(13:17):
NIST, all of these standards andframeworks are required, or not
required, they're referred to inmany ways in these contracts,
saying that you must follow andmeet the ISO 27001 plan and so
forth.
Therefore, that's how it's kindof brought up.
You have privacy and dataprotection rules.
These are govern the collection,processing, and storage, and
transfer and access of anypersonal data.
(13:40):
So you have privacy and datarules that you must follow, and
depending upon the company thatyou're with or the corporations
that you're engaging with, theymay have specific privacy and
data protection rules that youmust follow if you're going to
be doing business with them.
It's an important part for youas a cybersecurity professional,
as you as a CISSP, to make surethat you understand what these
(14:01):
are and that you read thedocumentation associated with
it.
I've read a lot of contracts anda lot of different agreements
between organizations, and it'simportant for you to then pull
out what is relevant for thecompany to protect you and your
business interests.
International jurisdictionalissues.
Data in one country may besubject to another country's
(14:23):
laws.
And so this is where theextraterritorial reach is
coming.
So in the case of you, maybe youhave a situation where you're in
the EU and one of the data inthe EU needs to stay there.
But can it leave the EU?
Well, if it does, then is itstill under the jurisdictional
aspects of the EU?
Potentially it is.
(14:43):
So you need to be aware of allof these connections, this
connective tissue you need to beconniving conniving, you need to
be connecting with.
(15:04):
So if you're dealing withprivacy versus security, just
keep this little point in mind.
Security protects data.
Privacy governs the rightsaround the data.
So you need to recognize when toinvolve the legal and compliance
teams on any of these aspectsthat you're doing.
It's so important that legal andcompliance are involved in
pretty much all the decisionsyou make related to these types
(15:26):
of activities.
I cannot stress this enough,legal and compliance.
And I know if you've beenlistening to this podcast for
any period of time, you knowthat those two are an important
part of any organization.
You must be able to produce orsupport audit evidence, and this
kind of talks about our firstslide we went over, is the fact
that there needs to be somelevel of evidence if you to
(15:47):
prove the controls that you havein place.
And these need to be able to beprovided to the auditors to
ensure that you are actuallydoing what you say you're doing.
So you may say, yes, we have inplace, we do a monthly look at
all the firewall logs and checkall of the access controls on
each and every one of them.
(16:07):
But if you don't actually dothat and you don't have the
evidence to support it, such asthe meeting minutes where you
talk about it, maybe uh a log ofevery time you go hit the
firewalls, then you may not besufficient for the auditors
depending upon whichorganization you are with.
So contractual requirements,some different sources to
consider.
The master service agreementsare which is your MSAs, you have
(16:30):
your service or your servicelevel agreements, which is your
SLAs, and you have your DPAs,which is your data processing
agreements, your BAAs, which isyour business associate
agreements, this is specificallyunder HIPAA, you have a cloud
agreement, supply chain andsecurity addendums, etc.
etc.
So all of these are differenttypes of agreements you may be
subject to or be interested inviewing.
(16:54):
So what they typically require.
Well, they typically willrequire some minimum security
control that you have in place,such as encryption, logging,
access controls, maybe incidentresponse time, how fast you
respond to a situation.
And they also may have anotification timeline for
breaches.
So you notify within 24 to 48hours, often much faster than
(17:15):
what the actual law states.
You you're you're gonna have tobe quick on this.
Now I will say when it's 24 to48 hours, you need to really
define what notification of abreach mean.
When is that?
It's an important part you needto work out with your legal
team.
And we've talked about this onthis prop podcast in this
training for quite some time.
That just because you have anincident that's in your
(17:36):
environment does not necessarilymean it's a air quotes breach.
You have the right to audit andthe security assessment.
They may want to come in andtake a security assessment of
you or do an audit of you.
They need to also know wheretheir data location and data
ownership clauses are at as itrelates to the data that they
provide to you.
But you on the flip side, ifyou're providing your data to
them, you need to have some wayin which you're providing that
(17:58):
information to them as well.
So they need to be asubprocessor or third-party
approval, and all of that can betypically required by these
various third-partyorganizations.
Now, some considerations for youto consider is that contractual
obligations can be stricter thanlaw and must be implemented and
monitored.
And it's very important forthat.
Because again, depending on thecontract you have, you might be
(18:19):
legally liable to that, and theywill take you to court, and then
it gets to be really, reallyexpensive.
Plus, on top of that, then thelegal laws will probably start
wanting to dig in and thenthey'll want to spend more time
with you, which will cause youmore legal expense and it'll get
more and more expensive.
Noncompliance, this is a breachof contract.
This is related to damages andloss of a customer.
(18:39):
This you don't want to havenon-compliance, obviously.
You want to make sure that youare there in your contract and
you are following through as youare expecting.
You must track theserequirements in a requirements
register so that operations andthe security operations teams
know what to log and what toreport.
So you like a risk register, youwill have, you want to have if
there's tied to yourrequirements that you have
within your company, you maywant to put that in your risk
(19:01):
register as well because it'sconsidered as a risk to you and
your organization.
So again, these are highconsiderations you need to be
aware of.
Contractual obligations can bestricter than law.
Noncompliance can be breach ofcontract, and you must track
these and keep these in a placeso that your security operations
teams and your securityprofessionals know what to log
(19:21):
and what to report.
Now, legal requirement,regulatory, industrial
standards, these are some coreconcepts for you to kind of
consider.
Due care versus due diligence.
Now we've mentioned this in theCISSP training a few times.
Due diligence is when you'reinvestigating, assessing risk,
or selecting proper controls.
That's when you're taking thetime to look into all of these
(19:42):
aspects.
Due care is when you're actuallyimplementing and operating those
controls.
That's when you're taking thetime and effort to make sure
that those controls that are inplace are the ones that are
specifically set up for you.
The regulators will look at bothof those.
So they'll make sure that youdid the diligence, but then then
they're gonna come around realquick and make sure that you
have implemented the controls asexpected.
(20:03):
You have evidence of compliance.
This is where you're gonna dealwith policies and procedures.
You're gonna make sure that youhave those in place.
I'm actually doing this rightnow for our contract, uh, making
the policies.
We got the policies in place.
I'm now working on proceduresspecifically for that
organization.
You're gonna have trainingrecords for that your people
have been trained on what'sactually going on.
You have technicalconfigurations such as
(20:23):
screenshots and exports, andthen you'll have logs and audit
trails associated with it aswell.
And then you'll have third-partyattestations such as your SOC 2
compliance or PCI ROC or variousISO certs.
And the point of those is thatas you you want to go in many
organizations, they'll want tomigrate to that third-party
attestation.
Um, and that's where you haveall the policies and procedures
(20:45):
in place, you have your trainingrecords in place, you have a
person designed to specificallydo that, they're they're all the
logs are getting kept, they'reall being passed on to a
security operations center, andthen these third parties will
come in and assess you and makesure that you actually are doing
what you say you're doing.
The extraterritorial, this iswhere some applies because of
where your data subject is.
So, for example, GDPR or COPA,it's where you offer services,
(21:09):
not because of where yourservices are.
Uh, that it's a good example ofthat with a GDPR, is if you're
offering services that are inthe EU, you're gonna have your
data will reside within the EU.
And so you just keep that inmind.
Um, that's just various piecesthat you must be aware of and
you must be okay with.
Data retention and e-discovery,some laws require keeping data
(21:30):
for a defined period, othersrequire deleting it after a
period of time.
You must know the legal holdsand override the normal deletion
cycles.
You must understand that.
You must know that when you'reputting something on a legal
hold, that will not delete, youmust not let it get deleted.
Uh, therefore, as a securityprofessional, it's going to be
up to you.
If you are the main person, whensomeone says, hey, I'm putting
everything the legal guy becauseit says we're putting it all on
(21:52):
legal hold.
Okay, cool.
But your deletion policy statesthat after one year all the data
is deleted.
You may have to be the person togo, whoa, whoa, whoa.
Yeah, anything but legal hold.
So put that in a separate placewithin your company so that it
is not deleted.
Uh, that's some training thatyou can come up with that can
actually be very helpful for anorganization.
So, some key privacy and sectorlaws that you should be aware
(22:15):
of.
You obviously HIPAA.
So, we're gonna go through abunch of laundry lists of these
and some key points in each ofthem.
HIPAA is your health insuranceportability and accountability
act.
Uh, this applies to coveredentities and their providers and
the plans and also the businessbusiness associates that go
along with it.
You have a security rule, whichis administrative, physical,
technical.
You have a privacy rule, whichgoverns PHI use and disclosure.
(22:38):
So you need to get connected tothat.
You can see these slides atCISSP Cyber Training.
They're all going to be thereand available for you.
You'll also be able to see it onthe blog.
Uh, there's breach notificationrule.
This is where you havetimelines, content, and
sometimes media and your healthand human services notices.
And you should be aware of allof this.
As far as that, you need tounderstand how do you protect
PHI.
And this could be through accesscontrols, encryption, audit
(23:00):
logs, all of that must be inplace to ensure that you're
meeting the HIPAA guidelines.
You have GLBA, which is yourGraham Leach Blyley Act.
This is for U.S.
financial institutions.
And it applies to financialinstitutions and some non-bank
financial services.
Now there's a safeguards rule.
This is where you develop andimplement and maintain written
(23:20):
information security program.
And we talk about this a lot.
If you're following any of theseother frameworks, you're going
to have an information securityprogram already well defined.
There's then a privacy rule,which is notices to consumers,
opt-outs in some cases, and youneed to focus on risk
assessments, vendor management,encryption, monitoring, change
management, and the trainingthat goes along with it.
That's what the GLBA focuses on.
(23:42):
Again, financial institutionsand non and some non-bank
financial services.
COPA, this is your Children'sOnline Privacy Protection Act.
This applies to any onlineservices directed to children
under the age of 13 that areknowingly, air quotes,
collecting data from them.
So now in the CIS's peace cybertraining, do I have to follow
(24:03):
COPA?
Well, I'm not actively goingafter anybody under the age of
13 unless you're really smartand you've been doing this since
you were like five.
So that I'm not the kind ofperson that would go after would
be really necessarily targetedagainst COPA.
However, Bluey and all thoseother types of products out
there for children that may betrying to regulate, you know, go
after the parents, go after thekids, they definitely fall under
the COPA issues, right?
(24:25):
So verifiable parental consent,clear notices, and data
minimization, all of that piecesneed to be maintained.
So data classification, childversus non-child data, consent
tracking, limited sharing,secure storage, all of those
pieces fall under the COPAPrivacy or Protection Act.
FERPA, Family Educational Rightsand Privacy Act.
(24:47):
So this applies to educationalinstitutions receiving US of
Department education funds.
Now this is an educationrecords, rights and parents of
students.
So basically, when it comes downto is anything that deals your
education, the rights of theparents and the students, any
const communications back andforth, that falls under FERPA.
So again, access controls,disclosure logging, directory
(25:10):
information, PII.
Again, you'll see there's a lotof consistencies between all of
these.
But you need to main understandfor the CISSP exam, the
understanding of what is aFERPA, what is COPA, what is the
Patriot Act?
That's the next one.
How does it work?
So the Patriot Act was designedspecifically around surveillance
and disclosure authority.
It enables the government torequest certain data from
(25:31):
national security andinvestigations.
And you need to understand whatis, and I don't actually even
know at this point.
I think the Patriot's beenrenewed a couple times.
I don't know if it's actuallybeen renewed as of late, uh, but
I will tell you that you theywill potentially ask you
questions on the CISSP becauseit's based in 2024 and it was
still a factor in 2024.
(25:51):
So it's it's highly, I shouldsay it's highly likely, it is
possible that they may ask youspecifically around the Patriot
Act and its use within yourorganization.
NYDFS, this is a cybersecurityrelation that was brought up by
the New York Department ofFinancial Services.
I had to deal with this a fewtimes with a different
companies.
And this is basically you musthave a cybersecurity program,
(26:14):
you must have a CISO, you musthave risk assessments,
multi-factor, audit trails,72-hour incident nota reporting,
all those fun things.
You must have that in place foryou to be operating as an
organization within the NewYork, um, the state of New York,
and that anything anything thatdeals in the financial services
aspects.
So this is a prescriptive rule,and you must show the controls
(26:37):
actually exist and are tested.
They do not allow you to say,oh, you fill out the form.
Okay, you're good, no problem.
You will actually have to showthat these things are in place
and then auditors will come inand look at you.
DORA is the Digital OperationalResilience Act.
This is for the EU and theirfinancial sector aspects.
Uh the EU financial entities andcritical third parties, this is
(26:57):
folks that are in DORA.
This you are focused onresilience, risk management,
incident reporting, testing,third-party risk as well.
Again, I'm talking about these,but if you consider most all of
these areas, they deal with allthese aspects.
Resilience, risk management, youname it.
Uh, we have additional stateprivacy laws.
Obviously, you have CCPA, CPRA,you have Virginia, you have
(27:21):
Colorado, all these differentstates have their own types of
um things.
You know, some consumer rights,you have uh privacy for dead
threatened country states thatyou're working in.
I would say one thing toconsider as a security
professional, if you are gonnabe focused on the rights or
privacy rights within yourcompany, focus on the most
restrictive ones.
So California, Maine,Massachusetts.
(27:44):
Those are some of the morerestrictive privacy rules.
If you focus on what theyrequire, and then you put that
same requirement into yourcompany, you're in a good
position that you're gonna berelatively safe from any sort of
uh potential issues.
So just kind of keep that inyour back pocket.
Some additional acts or uhaspects that you need to be
(28:04):
aware of.
Socks, Sarbanes Oxley.
This is for public companies,and this is basically integrity
of financial reporting, requiresthat internal controls over
financial systems.
Again, same kind of concept.
You make sure you have thecontrols in place.
Their change, their focus ischange management, access
controls, logging, andsegregation of duties.
FISMA, FedRAMP, this is thefederal aspects of it.
(28:26):
FISMA is a federal systems, mustuse NIST or RMF.
That's a risk managementframework, uh, categorized under
FIPS 199.
FedRAMP is focused on cloudservices for U.S.
government and must meet 853baselines, your cybersecurity
framework aspects, and they mustbe authorized.
Again, control baselines,continuous monitoring, and
various aspects need to beconsidered when you're dealing
(28:47):
with FISMA and FedRAMP.
CFAA, this is your computercrimes laws.
This is unauthorized access,exceeding authorized access and
fraud.
Your focus on this should beadministrative and security
tools and where it's usedlawfully, and then it'll define
your overall acceptable use.
So wiretap laws, you need to beaware that there are wiretap
(29:08):
laws in place, especially in theUnited States, and that
depending upon the state inwhich you reside, but in the
United States, just one personhas to be able to say consent to
recording.
So in the case of you're talkingto somebody on the phone and you
say, Well, I consent, I'm nottelling that person I consent,
but I consent, you can actuallyrecord the conversation of
what's going on.
So you need to be aware of thatwiretap laws still exist and are
(29:32):
they're a bit dated and they'renot keeping up with the times,
but they are out there andthey're on the books.
Industry stand industrialindustrial industry, I can't
even say industry standards, mygoodness almighty.
Uh so these are quasiregulatory.
What I mean by that is that youwill people will talk about
them, but they don't typicallysay they're they're required.
(29:54):
PCI DSS, again, this iscontractual but enforced like
regulations by the card brandsand acquires.
So your visa and all theMasterCards and all those, they
will require you to meet theirair quotes guidance.
But it is not regulatory.
But if you want to work withthem, you got to follow it.
And if you don't follow it, youdon't work with them, which
basically is pretty regulatorystandpoint.
(30:16):
This is where it's networksegmentation, secure coding,
vulnerability management, all ofthose pieces are a big part of
PCI DSS.
ISO 270001 and 2.
This is a management systemsapproach, often requires in
contracts or by globalcustomers.
It's a risk-based selection ofcontrols and it's designed with
uh separation of duties andinternal audits.
(30:37):
And then your NIST CSF, yourcybersecurity frameworks, and
the 800 series that are in that.
This is often referenced by U.S.
regulators, NYDFS, SEC as well,and it may become as the
expected baseline.
It might be something that youhave to follow, whether or not
you actually are following it atyour company.
(30:58):
So you might be following an ISOstandard.
Say, for example, you're doingISO 27001, but the US government
or NYDFS is requiring you to douh one of the 853 series, you're
gonna have to map from ISO 27001to the NIST 853.
So again, you'll have to just dosome mapping back and forth.
There's legal requirements.
(31:19):
Uh the NIST obviously identify,protect, detect, respond, and
recover.
Those are the key functionsaround NIST.
If you look at a lot of thedifferent frameworks, they have
a very similar kind of flavor tothem.
Uh, they may not be quite thesame, but they're pretty close.
So again, keep that in mind.
You're gonna have to follow alot of those.
You may have to deal with themmore.
They may become more of aregulatory requirement, even
(31:40):
though they are not arequirement under any sort of
regulation out there.
They just may be highlysuggested that you do them.
So, how to translate these intosecurity requirements?
So, identify the data plus thesystem and scope.
So, keep this in mind.
So, we're just gonna walkthrough these are some little
things for you to kind ofconsider.
PHI, this is a HIPAA standard.
(32:01):
Customer MPI, this is a GLBstandard.
Cardholder data is PCI DSS.
Student records would be FERPA.
EU personal data would be GDPRor DORA if it's financial.
So the point of it is that keepin mind PHI, if you hear that,
it's HIPAA.
Customer MPI, that would beGLBA.
(32:22):
Cardholder data, PCI.
Student records, FERPA.
EU, GDPR, DORA.
Those are some things necessaryif you're trying to figure out
map between the two.
Now, obligations to controls,mapping these, connecting these
two.
Access controls, RBAC, MFA,NYDFS, HIPAA, GLBA, PCI.
So again, they want accesscontrols.
(32:43):
Logging and auditor trails,NYDFS, SOX, and PACI.
Again, you can see these are allkind of stacking on each other.
Incident breach notification,HIPAA, NYDFS, GDPR, and various
contracts.
And again, the timeline will be72 hours for the big ones, NYDFS
and GDPR, and then it'spotentially up to as short as 24
(33:05):
hours, depending on thesituation with your contracts.
Third party management, you gotGOBA, DORA, NYDFS, HIPAA.
So all of those are third partyaspects.
And then training awareness, youhave almost all frameworks deal
with training and awareness ofsome form or another.
So obligations, so kind of mapthis in your head, which ones
they are.
Access controls, logging andmonitoring, incident breach
(33:27):
notification, third partymanagement, all of those you
should be able to map to whichis the appropriate act that
might be involved.
Document and policy andstandards.
So you now can show the auditorswe know what applies and where
and how to meet it.
This is where you document this.
You want to make sure that youshow them that these auditors
you understand all of theseaspects.
And then you need to maintain aregulatory register.
(33:50):
So some sort of register saying,hey, law X, this is how it's
mapped to the various controlsthat I have in place.
Law Y, this is how it's mappedto the various controls I have
in place.
Now, if you do this well and youhave already kind of put a good
program in place, it's supereasy because there's plenty of
programs out there that willhelp you map this to it.
So pick a framework.
(34:11):
Whether it's ISO 27001 or it'sthe NIST Cybersecurity Framework
or something else, pick onespecific framework and follow
it.
You then can map, you can oncethis is all done, you can then
map back to what are thecontrols you have in place to
meet these various auditrequirements.
So again, it's an importantpart.
Pick one and follow one.
(34:32):
Okay.
I hope I made that crystalclear.
So what for you should you watchout for as a security
professional?
One, if the the conflictingrequirements.
One law will say retain, theother will say delete.
This is where you need to bringit up to legal and have them
help define the precedencearound this.
Once you guys define what thatis for you and your
organization, you say, okay, weare going to retain.
(34:56):
Period.
Dot.
It says delete, but we'reretaining, and this is the
arguments of why we see thisway.
Now, if a regulator comes in andsays, Well, that's wrong, at
least you've had legal counsel,you've talked about it, you've
thought about it, you've plannedit.
This is why you've done versusyou just going, eh, we're just
going to keep it.
You can't do that.
You got to bring other peopleinto this conversation.
Data localization andcross-border transfers.
(35:17):
Some regimes and some areas likethe EU and APAC, they do limit
data transfers between these.
And this will affect youroverall cloud strategy.
And you need to be aware of howyou're planning on doing that.
Your breach definitions willdiffer.
HIPAA versus state privacyversus contract.
Always design incident responseto meet the most stringent, like
we talked about just a littlebit earlier.
(35:39):
If you focus on the California,Maine, Massachusetts areas, you
are in a much better positionthan if you focus on, I'm gonna
say Kansas, because Kansasprobably isn't nearly as strict
as some of those.
Third party and supply chain,Dora, NYDFS, these all emphasis
on third party risks.
You must include vendors in yourrisk assessments and in your
incident response testing.
(36:00):
So you need to keep those inmind as well.
So these are all important partsas we're dealing around the
contractual aspects and thegovernmental aspects of the
CISSP and of your cybersecurityprogram within your company.
So again, keep those pieces inmind related to all of that.
All right, that's all I have foryou today.
Hope you got a lot out of thisgreat information.
(36:22):
Head on over to CISSP CyberTraining and catch out what
we've got.
Got a lot of great free content,but check out my paid products.
They are there and available foryou.
If you need a step-by-stepconcierge approach to studying
for the CISSP, it's the onething I struggled with was the
fact that I didn't have anybodyto teach me and train me on what
I needed to know for the CISSP.
That is what the CISSP CyberTraining is there for.
(36:43):
It's to help walk you through itstep by step by step.
Those paid programs are therewith the blueprints, with the
calls, with the conversationswith myself, with all of those
pieces are all available to youand they're all in a paid format
that allows you to get ready forthe CISSP in a way that'll help
you pass it the first time.
All right, thank you so much,and we will catch you all on the
(37:04):
flip side.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes
as I would greatly appreciateyour feedback.
Also, check out my videos thatare on YouTube and just head to
my channel at CISSP CyberTraining, and you will find a
plethora or a conocopia ofcontent to help you pass the
CISSP exam the first time.
(37:25):
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Two Guys, Five Rings: Matt, Bowen & The Olympics
Two Guys (Bowen Yang and Matt Rogers). Five Rings (you know, from the Olympics logo). One essential podcast for the 2026 Milan-Cortina Winter Olympics. Bowen Yang (SNL, Wicked) and Matt Rogers (Palm Royale, No Good Deed) of Las Culturistas are back for a second season of Two Guys, Five Rings, a collaboration with NBC Sports and iHeartRadio. In this 15-episode event, Bowen and Matt discuss the top storylines, obsess over Italian culture, and find out what really goes on in the Olympic Village.