foreign okay good morning and welcome everybody to cybrary's live streaming of our Schism certification course and cism of course stands for certified and information security management my name is Kelly handerhan and I'm going to be your instructor for the four modules of schism which is what we're going to be covering in this class I've been around the I.T field for over 20 years really over 25 years starting out back in the days when you can make a living as a hardware technician moved over to networking then Network architecture design and cyber security for about the last um you know maybe uh 15 years cyber security almost exclusively so started out with Windows nt351 Novell 31 I've been around for a minute to say the least now the last 10 years I have been focused on information secure management primarily in the cyber security field leading projects project manager program manager I am uh sizzo of my own organization that I've created and founded for training and consultation and I do have various certifications throughout the information security field most importantly and relevant to the class I do have the system certification it's always good when your instructor has the certification they're teaching we like that but I'm certified across some other things with Cloud security and project management and risk management also really helpful in life and in relation to the Schism exam so I just tell you that so that you know I've been in the field for a while I've been teaching for a while and I have experience getting certified and helping other folks get certified which is exactly what my goal is today I want to give you the information that you'll need to take to learn to study and so that you can be ready for the Schism certification exam now this is this is guaranteed 100 percent for you to pass the exam it's going to be a great start my job is to help you prioritize what to study as well as to understand the concepts that you need in order to absorb the material and then there will be some other tools that we have here at cybrary that I'm going to be showing you in a bit so that you can get additional material in additional help with your studies all right but for now I say let's go ahead and jump into our material so the first thing that I want to talk to you about is in this first section we're going to just talk a little bit about the Schism exam what the domains are what the role of a Schism might be within an organization and just the easy answers they're usually you know I would generally equate uh a Sizzle as somebody that has a Schism certification and that's often the role that systems are looking to have but like I said it's a project manager program manager of in information security prop uh projects or programs this is going to be a really helpful certification for you to have we'll talk a little bit about the exam and what to expect and then we're going to move forward and start talking about the domains now system comes from an organization called isaka so um you know it it used to be about information assurance primarily and auditing is originally was originally isaka's focus it was Information Systems audit and Control Association that was their the meaning for their acronym but over the years they've really expanded Beyond audit and controls and have really branched out into the world of risk management they've branched out into of course cyber security and so they felt like that acronym was a little bit constraining so isaka is just I sack at the day they they've kind of taken away the the meaning for the acronym and they're just affectionately known by so many of us as isaka knowing that they cover a broad range of information for cyber security foreign excuse me I got so choked up there uh just to talk to you for a minute about the Schism certification exam this is a highly sought after certification exam uh it has become in Greater demand every year that I've been teaching it the certification started back in 2003 really because of the fact that we needed some sort of criteria to assess whether or not someone has an understanding of information security but bigger than that do they have the capability of managing an information security program and information security environment so there is a small degree of technical knowledge that sort of uh the groundwork but the majority of this exam focuses on management skills understanding framework developing policy developing an information security management system we which which is basically just a very broad term for an environment that supports Information Security based on the organization's need so that's what the Schism certification exam is all about if there are any of you that maybe don't have a background with it like I said this is becoming more and more popular more and more sought after so I think it's a great certification to get and I've certainly benefited from having this certification now before we start the class I always like to go over prerequisites for the class the big thing is they're no you don't have to have any of these prerequisites for the class you don't have to have job experience you don't have to have Network background security background but to take the exam we'll talk about in a few minutes there are requirements to hold the Schism certification so if you're wondering can I benefit from this course I think people across the board regardless of what your background what your experience what your career goals are I think everybody can benefit from a course that looks at cyber security in context of the workplace and what the business needs are but like I said that doesn't mean everybody can get Schism certified now this class will make the most sense to you if you have a background in networking or if you've gone through a class like a net plus or a Security Plus another certification that goes that's just so perfectly aligned is the sea risk certified in risk and information systems Computing um that is also by isaka and there is a ton of overlap between the c-risk certification and the system certification so it's a very likely follow-up to this course and we'll be offering it uh in the future as well also if you've got some experience in Information Security Management obviously that's a big help as well so what prerequisites do you have to have none can everybody benefit from this class absolutely but there are things that'll make this course a little bit easier for you and those are the prerequisites that we've listed now what we're going to be covering is we are going to start off this course with the topic of information security governance this is about 17 of the actual Schism exam so the idea is we have to start with governance before we can get to management and when we talk about governing entities of the organization we're talking about our senior officers our chief executive officer our Chief Information officer we're also though talking about the board of directors we're also talking about um you know any steering committees often or up at that level as well so they are the entities that set the tone the direction the organizational goals and objectives and without those we can't develop um an efficient and effective security program so we start and what we'll be covering today is domain one information security governance now tomorrow we're going to move into talking about information security risk management and risk management actually used to be 30 of the exam and they've shrunk it a little bit which is interesting to me it's now 20 percent of the exam so about a fifth of your exam is going to be on risk management I really don't believe that that's any reason to doubt the significance of risk management in relation to cyber security the two need to be integrated so that we can make good business decisions on the amount of security we need and we'll spend a good amount of time talking about that but when we talk about implementing security we need to start with asking ourselves what are we protecting okay data okay then what's it worth we have a certain value high medium low or we may have a quantitative value that we can say hey what we're protecting is worth eighteen thousand dollars you know whatever all right now once we know what we're protecting what's it worth then we have to look at the threats and vulnerabilities that exist okay threats and vulnerabilities give us a risk okay then we want to figure out what the value of the risk is what's our potential for loss we take our potential for loss up against the cost of a counter measure and we make a good cost effective decision on the right amount of security that is risk management and that is cyber security so the two really are intrinsically linked and the more we understand risk management the better we're able to do our jobs in cyber security so that's the main two and even though it's not you're not going to see as many questions on the exam as in the previous versions of the exam it's still a very significant topic and in some ways I think they kind of lessen the number of questions because they have the C risk certification uh that's specifically focused on risk management and I think maybe they didn't want too many overlap of ideas or questions but please know risk management is a critical aspect of cyber security we'll talk about that tomorrow all right now on day three we're going to cover our information security program and that's a third of our tests so really important the idea is senior leadership determines our strategy our vision our broad goals and objectives but our information security program is how do we get there well how do I accomplish the goals and objectives of the organization well I have policies I have procedures I have standards I have guidelines that I Implement I have security controls that I Implement in order to protect my assets there are a whole range of action items and documents to be produced that are part of the security program so I kind of think this is the how to accomplish the what that governance says is important right governance governance says this is what we want to do our information security program gives us the tools to actually do it and to get there and then the last section is Incident Management and again interestingly enough with this new um this newer version of the system exam they've kind of moved around priorities this actually used to be less than 20 percent and now it's 30 percent the reason is they've expanded this to cover much more than just incident response which is what it was in the beginning notice that it says Incident Management so now we talk about uh planning we talk about detecting incidents and of course response and incident response can also include Disaster Recovery responses it's much broader than it was in previous domains so we'll wrap that up on Friday and uh like I said 30 of the exam so this will give you a breakdown if you are thinking about taking the exam where your priorities need to be with study okay we're going to cover one domain per day and sometimes I get the question of how long will this take as long as it takes all right so you know if I had to give you my best guess there's probably going to be three to four hours of lecture we'll uh intersperse some breaks uh including probably taking 20 25 minutes just so that we can get a lunch break depending on you know where you are located throughout the globe that may be helpful to you I'm located in Silver Spring Maryland and I get hangry if I do not get a lunch if I go too long without a lunch break so we'll probably take little a few breaks here and there trying to take about a break an hour just so that everybody can get up get the most important accessory to learning which is a cup of coffee so that's just kind of what you can expect from the class um this is something that we are is kind of a work in process this live streaming so uh bear with us if any sort of technical glitches come up I think we should be fine and also notice that you do have access to ask questions and those questions will be passed along to me so it may take a moment for you to see your questions I'll wait for a logical pause uh to get to them I just want to let you know this is a real class with real material this is the material that I use the exact same material that I use to teach studentism when I come out to an office or whatever and I'll be conducting this class as normal so this is a great benefit this is really kind of cool I was surprised that cybrary was was opening this up just a free live stream I think it's tremendous and I want to encourage you guys to use it just like you would a typical class so if you have questions if you uh you know want your versus voices heard jump out there all right now as I move along I just wanted to kind of mention again how everything's connected right so when we start with information security governance and we write the policies we understand the needs of our stakeholders the priorities of the business well where we go from there is going to be driven by risk management what is our risk appetite what tolerances do we have how are we going to make good business decisions well how much risk do we want to be exposed to all right now how much risk we're willing to be exposed to is going to dictate what our security program looks like and again our security program is the combination of controls and policies and procedures how we organize our um our hierarchy within the organization it's driven by risk management and of course an important part of our security program is we have to have a means to detect and respond to incidents so they're all interrelated as so much of the information technology world is just wanted to kind of show you that flow the exam is gonna be four hours and there are 150 questions all the questions are multiple choice each question is usually just one or two lines you don't get these huge paragraph questions that you have to analyze what they're you know trying to get at usually the questions are short and sweet I don't think you're going to see scenario questions each question has one answer either A or B or C or D there is no choose all the that apply or no there are no uh none of the above or both A and B they're very straightforward I have not had students run out of time I've not had students tell me they've run out of time on this exam I think four hours is plenty based on the format especially if you take some of the principles we talk about in this course and apply them you do your study you go through you take the tools that you have available to you spend enough time getting ready I I think you should be good to go okay so I'm going to do my best to point you in the right direction I do also want to stress that once you pass the exam you're not automatically certified as a schism and you cannot use the Schism designation meaning you can't say I've passed the system exam right that's not making you or you can't say I'm a Schism because you passed the exam you have to continue with the process and the next process is you have to fill out an application they'll remind you of that you'll you'll give them your email when you take the exam and you'll get a message saying congratulations you passed now complete the app now on the application you have to uh designate that you have the documented relevant work experience they will ask you for that relevant work experience on your application the work experience used to be four years or actually five years in two of the domains changes from time to time so what I'm going to ask you to do is I'm going to ask you to go to isaka.org and they will tell you specifically the requirements to you'll see the system certification and information about that always go straight to the horse's mouth because I sack of changes the requirements from time to time so I'm just going to tell you if you want to find out hey do I have that work experience go to isaka.org and you can read through their most current lists of requirements um once you submit your application there's a small fee in order to do so they'll review your application and then ideally you're certified that certification is good for three years or if you continue with your education and you attend a certain amount of training hours per year then you can avoid having to retake the exam and you can continue with your certification as long as you're getting those continuing education units each year again to find out how many of those CEUs I'd like you to go to isaca.org because how you go about that what what constitutes a ceu that can vary all right so isaka.org is the ultimate Authority for all the specifics regarding the exam itself and if you're not sure about any of those and how to apply and all that good stuff isaka.org is where you go all right so just wanted to give you some preliminary information about the exam what to expect I know some of you are already planning on taking it some of you are considering it so I hope that just gives you kind of a little teaser about what to expect from the exam process but I'm ready let's go ahead and start talking Schism stuff right let's go ahead and jump into domain one and domain one is information security governance this is where it all starts so let's just come back to governance itself right let's just talk about generic term governance and I promise you I'm not going to read from slides across my heart but anytime we have something directly from isaka that we see in quotes I think it's important to look at as they've stated it just so that we make sure that our minds are in alignment with isaka so just to hit a few high points here so the first piece governance ensures stakeholder needs conditions and options so what do we do as a business what goes back to who our stakeholders are and what they need any conditions that need to be satisfied what their concerns and approaches are and then notice we don't have to satisfy every stakeholder need but we do want to identify them and balance those stakeholder needs against things like you know cost Effectiveness um uh what's the word I'm trying to think of now the liabilities sorry let me just pause and get another coffee another sip of coffee so we figure out who our stakeholders are and what they want then we have to balance them against other concerns like cause like liability issues so on so that we can determine the objectives and goals of the organization that we're trying to achieve governance then is going to set the direction by prioritizing and decision making so they're not the ones who are sitting there with pen and paper in hand writing the policies choosing the controls to protect assets but they do prioritize you know where do we direct our attention first and they do make the decisions they make sure that we're achieving our goals right as they've specified against any sort of criteria that we've set so the important thing is when we look to governance over the organization they prioritize they provide oversight to help us meet those goals and objectives and ensure that we continue to do so even though they may sign off on policies they're not the ones writing policies generally they may direct what the policy should contain but they're not the ones going through the motions doing the legwork okay so if we take that idea and then apply it to information security governance well we know we're going to have a lot of overlap right so we know that with information security governance we need oversight we need prioritization we need evaluation all revolving around their information security assets now notice when we're talking about our information security assets we have to look at how we evaluate if you'll remember a few minutes ago when I was talking about risk management I said we have to start by looking at our assets and what they're worth so we evaluate our assets determine how to create store use archive delete this these pieces that you see creation storage use archival deletion these are the phases of the data security life cycle so essentially in information security governance we're we are using the guidance of governance and applying it to our information which is exactly what you would think about when you look at the term information security governance but what we're doing here is we're using the goals of the organization to drive how we handle information throughout its life cycle right so how do we store data we always will go back to the goals and objectives of the organization it's our goal and objective of the organization to reduce costs to its absolute minimum value well if all we're focused on is cost as an organization that's very likely going to mean that we may cut some Corners right but if the goals of the organization are to inspire customer confidence well then we're going to take a lot of time and emphasize transparency we may choose to become certified based on various information security Frameworks or whatever that may be so the point is governance comes first what's the priority what's important to the company information security governance which is a subset figures out how we protect information in a way that's in alignment with the organizational goals and objectives I gotta tell you the truth if I had a nickel for every time that idea comes up in isaka material I would have a lot of nickels okay one of the most important things when you walk into this test is you want to remember that the role of information security governance is to satisfy the needs and objectives of the business and that's not just a testable idea that's the reality of what we do in information security but I don't know about you but I've heard a lot of I've heard people say you can never have too much security and that's absolutely Incorrect and that's an idea and a concept you want to keep from you know that's a rabbit hole you don't want to fall down you can absolutely have too much security when you have so much security that your organization can no longer function effectively or efficiently that's too much security you know if you think about it how many of you have 15 deadbolts on your front door not me I have one I have a regular door lock and a deadbolt might I'd be more secure if I had three dead bolts or five or ten maybe but here I am with 17 bags of groceries in my hand because you know I'm not making two step two trips out to the car right and I've gotta put the bags down and unlock deadlock one and deadbolt 2 and deadbolt 3. that's too time consuming that's not meeting my goal and objective of being efficient coming to and from my home because that's my goal and objective I don't want 15 deadbolt lots and by putting 15 deadbolt locks on my front door I am taking away from the efficiency of meeting my goals fight and obviously I'm being a little bit silly there but the business has to do its business right and if we have so much security that users have to provide uh have to log in every time they access a file or they have to answer security challenge every 30 seconds obviously they're not going to be able to perform their work so what our job is also with information security governance is to figure out and really it is to support the business in the way that meets their needs what that means is the business is really my customer and the customer mandates the degree of security that's necessary now I can invite advise I can instruct I can conduct risk analysis and use that in order to help educate the business the customer but when it comes down to the decisions that comes from the business units that's another idea that's all over this test and really essential that we understand the lines of business these are the folks that own the data the data owners determine the security so if I recommend a security setting and the owner of the data disagrees it's the owner of the data that gets to choose not me my job is to help them make good decisions but when push comes to shove that's what it comes down to so this is a very specific mindset you want to walk into the system exam with and you want to remember as you're working within information security understand the goals and objectives of the organization figure out how to best support the organization and work with the business owners to determine the right amount of security sometimes we in Tech and we insecurity go in with the security solution in mind we have to understand the business objectives before we can have any idea what the company needs with the data you know what the data needs as far as protection sometimes we get the cart before the horse right and that's why the data owners make the decisions all right now as we continue moving along this first chapter I got to tell you the truth we have to kind of go through some foundational stuff to build upon so I want you to bear with me because we're going to talk about governance and structure we're going to talk about Frameworks and some compliance ideas so I want you to know that this is really relevant to us even though it may not set your heart a flutter and I realize that but hang in there this is a great certification it's good information we just have to lay the building blocks okay so what I have here in front of us right now is a corporate governance structure now for corporate governance there is no one document that says every organization on the planet must be structured this way right that would be ridiculous every organization sort of has their own way of meeting objectives their own organizational structure what I have on the screen is just sort of a generic sort of suggestion as a general sort of default start for developing a corporate governance structure the most important thing is that we have a structure we have a hierarchy we have a clear pathway for reporting we have well-defined job descriptions roles and responsibilities we make sure that um that we have separation of Duties within this organizational structure so I don't want you to feel like oh I got to memorize this but just know this is just kind of a generic typical one but what you'll notice shareholders at the very top these are the folks that drive what we as an organization do right ultimately the shareholders we have board of directors we have a CEO that works with the board of directors and answering directly to the CEO or the other senior managers and then we have the individual committees maybe steering committees that individual units or business units report to right so our Auditors would report to an audit committee that would report perhaps directly to the board but notice that we have kind of that separation of Duties and we have a structure that would allow that reporting to happen without sort of conflict of interest or any sort of um uh difficulty or pull as far as priorities go that's what's most important with our governance structure so of course that's determined what the structure is by the shareholders Boards of directors and the hierarchy does need to be well defined again with roles and responsibilities which we'll look at just a little bit all right so what's the responsibility of these Boards of Senior Management do care making sure that risks are adequately mitigated allocating resources appropriately meaning we don't just throw a whole bunch of money at security we expect we spend the appropriate amount looking for a positive return on investment our ultimate goal here is to make decisions based on risk awareness to know when we have too many vulnerabilities Too much exposure to know when maybe we're willing to undertake a little bit more risk for the possibility of gaining more sometimes we call that a risk utility what we stand to gain from taking a risk so it can oversight and I'm going to talk a little bit more about due care as well as due diligence in just a moment all right some of the typical roles and their responsibilities could come up now again it's not a hundred percent written in stone but for instance companies have CEOs that's generally their top their highest ranking officer right that's you know kind of how we Define a CEO and this is the person that has the ultimate authority to make decisions for the organization often when we talk about liability liability often goes all the way up to the CEO depending on what the issue is so for instance if we have an organization that has a major security breach a lot of times maybe the security officer but then depending on the scope of the breach and the organizational structure it may be the CEO also that's held liable you know for uh CEO would certainly be held liable for loss of company assets for failing to protect resources appropriately so they're the chief decision maker and then from the CEO we'll look at some of the other senior officers first of all the CEO Chief operational or I'm sorry a chief operations officer now the operational functions of the business so this is usually the person just a step down from the CEO they're in charge with the business meeting the business goals and actually even before that determining what the business goals are and ensuring that the processes and procedures are in place to make sure we're capable of Meeting those goals so when you think about the COO their ultimate goal is meeting the goals you know implementing a program so that we can meet the goals of the organization that's a really important role of course but the reason I point that out is the ultimate owner of the data of the organization or I won't say ultimate owner let's say the decider when it comes to risk management of information data of protection of resources the ultimate decider is the Chief Operating Officer and the operations team so just a minute ago I said in security we don't get to determine how everything should be just should be secured it's the data owners the lines of business starting with the CEO I'm sorry the CEO all the way down I hope I'm making sense uh maybe I I need to have more com more a larger cup of coffee but if I'm not making sense make sure you're asking your questions in chat so if I go through something too quickly just let me know hey can you repeat that or or uh you know uh say it again but the COO ultimately is going to be the entity that's going to determine what amount of security is enough for the resources of the organization okay not the security team we serve operations and the head of operations is the COO so you could even see a question like who would best who would be the best officer to oversee the security program and a lot of people choose the CIO Chief Information officer sometimes people choose Chief security officer but reality when we talk about sponsoring the information security program or having sign off on it that comes from the business so it's not unusual at all to see the COO sponsor the security program because they're the ones that have to look at the value of what's being protected versus risks and make a good business decision okay so a really important role for us in information security making sure that we work with the Chief Operating Officer to make sure that we understand what the allowable trade-offs for security are now other officers I'm kind of surprised I didn't put CFO on here because your Chief Financial Officer is really important and you say but Kelly why would the Chief Financial Officer be important in relation to security you're probably not asking me right you're the ones that signed the checks so chief executive officer Chief Operating Officer Chief Financial Officer these folks have to be on board and have to understand the security function and the needs for security now Chief risk officer of course and it would kind of be assumed that that's a given but the chief risk officer looks at all risks and may be focused on business type risks as opposed to information security risks so they're part of the picture okay but it doesn't mean that they are knowledgeable in relation to specific information security risks or I.T risks um same idea with Chief security officer you know they're going to be looking at things like facility security and other types of security so we're all you know the idea is everybody has a role to play in information security that doesn't mean all your executives are are specifically involved in the day-to-day and it also doesn't mean that they have buy-in by default all right Chief Information officer ultimately responsible for the management implementation and usability of information and computer-based Technologies so the CIO has a lot on their plate do we have the right technology how do we acquire that technology uh we have to look at it from a cost benefits standpoint we have to make sure information security risks are appropriately managed we have to ensure that we have the proper policies in place and on and on and on usually we also have a sizzo it used to be that the sizzo would report to the CIO we've really gotten away from that because we want that Sizzle ideally to work directly with the board of directors or even the CEO to make sure that we approach security from its own unique perspective to make sure that the information security officer doesn't report the information officer because that information security officer may have um you know may need the direct ear of the CEO or of the steering committee they are specifically focused on CIA so CIA Triad any of you that have been around information security know confidentiality integrity and availability and when we think about information security that's what we focus on confidentiality I need to keep my secrets Secret I need to make sure we prevent against unauthorized disclosure integrity means I need to be able to detect unauthorized modification of data I need to know that the data is reliable and hasn't been changed okay and then availability of course I need timely access to the data so I need to be able to access the data when I need it needs to be available in a timely manner all right so those are our senior officers senior leadership so when I talk about senior managers those are the folks I mean but we also then come down to functional management and when we say functional management we're looking more at department heads so there would also be a manager in relation to information security and they would report to the sizzo whereas governance figures out what we need to do management figures out how so these are the folks that really get to the nitty-gritty it's great to say we need 99.997 uptime and that would come from the sizzle in relation to availability now the information security manager has to come in and say okay so we're going to need a seven node cluster it needs to be geographically distributed here are the services that will be that will exist on the cluster right so figuring out how to accomplish the goals set by the sizzo come to the information security manager again for those of you testing think of yourself as a Sizzle okay you are not the boots on the ground person you're not one to fix you're not one like for instance if you were to see a question like um you have an employee that's scheduled to be terminated at 3 P.M uh at 10 A.M on Friday what should you do well you are a Schism a sizzo or at the very least a generic sort of information security manager your job is to make sure policies and procedures are in place but as far as having a manager or ciso come down to the basement and disable an account because I'll guarantee you most people when I say hey you've got an employee that's going to be terminated what do you do most people will say well disable their accounts revoke their credentials get company property back but that's not our job so on the exam what is your job in relation to that you know instance call the appropriate parties review policy make sure that we have processes in place to handle determination okay so again our priorities on this exam we are not doers we are not fixers we make sure that the appropriate parties have the right policies and procedures to follow we make sure that they're trained we make sure that they're supported and ultimately we evaluate whether or not the security program these policies and processes are in fact successful if they provide us with what we need now a couple of other uh roles that we want to address and I've already mentioned the data owner the data owner when you hear that phrase think operations think the lines of business so the sales line of business own sales data okay when we talk about you know production data it's owned by the production team so they are the data owners they are the ones generally that create the data that use the data and they are the deciders always the data owners are the deciders so if there's a conflict between security I want to implement and what they want implemented they win and the reason for that is is very important is that they're focused on meeting the goals of the business and it's their job to understand how much security to implement while not negatively impacting too greatly the goals of the business security always costs something Ain't Nothing free right we're always going to have to pay for security maybe with performance maybe with ease of use or user acceptance maybe backwards compatibility but whatever it is we'll have to pay for security so the data owner determines how much they're willing to give up to have secure assets and their decisions must be made in theory would be made with the ultimate goal of meeting business objectives so it's their job to determine how much security is enough so obviously our risk management philosophy appetite approach framework needs to be integrated throughout the organization so that our data owners are able to make good risk-aware business decisions but again the data owners are the deciders now the data custodians are the ones that maintain the data you know day to day who backs up data the custodians who recovers who implements the security controls usually it's the tech team these are the folks that are the custodians right so your admins your your technicians your fixers of problems those are the custodians and then ultimately you know we we look to bring all of these roles together so that we work towards first of all so that we understand and then work towards the goals of the business all right that's a good spot to pause and I am going to pause from time to time and check in with you all and see if you have any questions but don't feel like you have to wait for me to pause if you've got a question or a thought just jump right in does anybody have any questions or any thoughts or anything you want clarified based on what we've covered so far okay if there are no questions and if your question hasn't made it to my screen yet that'll happen in just a moment or two but what I'd like to do now is I'd like us to just take a couple of just a short few minutes break give us a chance to stand up refill our coffee and do those things that we need to do and we'll be trying to take a short break about every hour so let's do this it is uh what is it it is 11 56 why don't we please return at 1205 and that way we can have our break and pick back up foreign so please return at 1205 and we will continue all right everybody have a good break okay welcome welcome back from break I just uh wanted to uh cover a couple of questions that popped up in our chat over break so um let's see the first question I had was from Samir if there is any time in the training where we will get some real uh multiple choice questions like the exam yeah I'll try to be kind of interspersing them throughout my uh lesson and then at the end of the day we'll go over just a handful of questions to kind of see the approach but one of the things um that you know we're doing it at cybery which is which again I think is really cool so we're offering these live streams now for those folks that want to take use of additional cybrary Services which we have a lot of but primarily the things that would be most helpful to you uh would be that we work with cyber Vista uh the organization Kaplan and I don't know if any of you have been around along enough to remember the company transcender but at any rate we're working with these other organizations and have created an exam question in database I'll show you those in just a little while I need to pull those together but we do its Library offer with many of our classes Labs there's not really a lab for Schism because that that doesn't lend itself but we do have additional exam questions that would would help you get prepared for the exam but during training I'll throw some questions out and at the end of the day we'll review I also want to congratulate Arthur who just recently passed his cissp because he is a rock star congratulations Arthur and uh Chad I appreciate your comment as well and then we had a question from NED who is studying for the cissp using the course on cybrary great so glad to hear that and Ned wanted me to kind of parse out the differences between who would take Schism and who would take cissp you know there is overlap of course in the exam particularly the sections on risk management on information security governance absolutely but primarily I would look at cissp as folks that are more interested in staying technical whereas Schism for folks that want to move up into management for me you know I stayed in technical for a long time but once I started moving towards management program management once I set my sites on various uh uh executive roles I decided to get the system certification the project management certification the PMP and see risk I felt like those were both really important with the focus on uh moving up into executive management and Leadership so that's how I would kind of look at the differences but I'll tell you cissp is not as technical as it used to be a lot of this that we're talking about here about focusing and understanding the needs of the business before we make security decisions there's a lot of that on the cisp exam as well all right those are the questions I have in front of me and like I said in just a little bit I'll give you a sample of some of the questions that cybrary offers to help you get ready for your exam and depending on your course like cissp we also have a lot of really good Labs out there that'll help you as well all right but back to business and our business is talking about information security governance and we said this really lays the groundwork for our information security program which we'll look at on day three which will be Thursday um so governance ultimately what does governance provide an organization well there's some principles that are governing entities should adhere to now these come from um uh an organization called open ethics and compliance group oecg had to think about that acronym for a minute and ultimately the principles of sound corporate governance are governing entities should be fair that sounds reasonable to me meaning they act without partiality or Prejudice they make good business decisions based on business requirements without acting upon bias now when we for those of you that will be back for the C risk certification course we'll talk about some of the ways that we do act with bias a lot of times unintentionally and that can impact the governing and the management decisions that we make so we want to act without that bias accountability we need to be held to a set of standards to fulfill responsibilities regardless of our roles within the organization so our governing entities too and in many ways that comes through legal requirements and legal liabilities right and that we had to we have to adhere to regulations and laws and requirements from our stake and stockholders transparency now with transparency we want what we do to be out in the open without hiding we want to make sure that we're able to provide accounting for our processes our procedures we want to be sure that we are able to be audited that we have that capability to display our approaches to risk management information security as necessary and then of course responsibility that we do our best to serve our stakeholders and our stockholders this is not the type of exam that's going to say what are the four principles of corporate governance so this isn't something that I want you to memorize or and you know generally when there's something hey you gotta memorize this so much of chapter one is understanding the concepts and the foundations now you're going to get about you know 30 questions on corporate governance so they'll give you sort of uh you know a couple of sentences and they might say you know you're leading a project and have to choose a developer developer a is a senior developer who performs very quickly but is a difficult employee developer B is slower but generally um gets along with everybody in the team which developer do you choose so the idea is that we Act without partiality or Prejudice and they'll probably word it a little bit better they'll probably say something like developer a doesn't like you and you frequently conflict with them so the idea is we choose the developer that does the best work because that's acting without partiality or Prejudice just because a developer doesn't like to work with me doesn't mean that I don't choose them if they do the best work again I'm just kind of pulling this off the top of my head so don't nitpick that question too much but that's how you could see these questions so I'm ethically required to act without bias to choose the team member that performs the best work whether they like me or not I mean dear Lord if I could never work with somebody that didn't like me I would be sitting at home in my basement right now actually I'm sitting at home in my basement right now so maybe that's not a good sign but the bottom line is we act with fairness so they're not going to say Hey you know fairness accountability transparency responsibility you know expecting you to memorize them but they may expect you to demonstrate these in decisions that you make okay now the benefits of information security governance well you know we could um really talk about that all day you know why do we need governance well you have to have oversight right you have to have ultimate accountability there has to ultimately be someone that has that skin in the game to ensure that we protect our assets as necessary and as necessary means we don't want to be held liable we don't want to be sued certainly don't want to go to jail but we also don't want loss now every organization susceptible to loss how much loss Will We tolerate well we have to have governance to make those decisions we have to have someone to Define what the goals and objectives are of our information security program the goals the objectives are determined by is governance what the program is and how it's going to accomplish those goals comes from the program so again this is really just an extension of what we've been talking about I cannot stress though again to you for the exam so much of this I saw a lot of repetition on my exam I saw a lot of questions that at the end of the day led to understand the goals and objectives of the business first figure out how information security fits into the business governance leads management uh you know leads points the direction sets the goals management figures out the how um you know again just this these questions over and over and I think that it's also really significant to understand that passing this exam for those of you that are studying for it is much more of a philosophy a philosophy um an understanding than it is about memorizing a bunch of facts I don't know if any of you've taken like a Security Plus exam where you have to just memorize a whole bunch of stuff port numbers and firewall rules and this that and the other this is an exam that really is going to test your ability to make good business decisions based on the information in the question how you can choose Information Security Solutions to meet the goals of the business and you'll get tired of me saying that I'm sorry but it's so important and that's what this class and this exam focuses on all right so I think we're good here well I think we get the role of governance but these questions am I doing the right thing Okay so the stakeholders have told me what their goals are am I satisfying those goals am I balancing prioritizing those goals are we doing them the right way sometimes there are multiple ways to get from point A to B right am I doing it the right way and getting them done well am I choosing the most efficient effective approach and are we realizing benefits because if we're not realizing benefits then maybe we aren't doing the right things or we aren't prioritizing correctly so if the answer to any of these questions is no we need to figure out how to change the nose to yeses okay uh let's see question here Amanda hi good question when did I take the exam last time I took it in June of last let's see was it June maybe in August but I cook it very shortly after the new exam um uh objectives were out honestly I didn't see a huge shift in the nature of the questions I felt like there was a shift in number of questions you know I definitely saw more questions about business continuity uh incident detection incident response management a couple of very high level forensics questions just like how do you prioritize what would be um access first you know just very high level stuff so I saw some differences in number of questions for each of the domains but honestly if it weren't for that to me I felt like it could very easily have been the same exam I took when I first took it 12 years ago you know so I have taken it currently so everything that I share with you is from my experience as well as other students that have taken this as well okay now we've said that governance sets the goals and objectives then the question is well how do we meet those goals and objectives and like we said governance isn't going to go through and write every policy procedure standard guideline governance isn't going to choose what the control is but what governance is going to have a hand in deciding and specifically they're generally going to choose what framework we adhere to as an organization so for instance we may find that we our goal and objective is to increase customer confidence right that's determined by governance that we want to increase maybe our trustworthiness within the industry customer confidence brand recognition those sort of objectives well one of the things that we may choose to do in order to accomplish increasing customer confidence would be to become certified as an organization just like you as individuals are looking to get certified as individuals as individual workers so that you can you know kind of prove your reliability and your knowledge organizations may get certified based on certain Frameworks or they may just use the Frameworks as guidance But ultimately we don't need to reinvent the wheel right we want to increase confidence so providing um you know having a proven tried and true method of approaching an information security Management program may be the way to go and there are a lot of Frameworks that are out there once again not something hugely testable so you don't need to be scratching out every element of cobit or you know every single piece of iso 27001 or 27002 but first of all you want to be aware of what a framework is and how it helps us so a framework ultimately cannot be determined until you know what your objectives are some are information security Frameworks some are business Frameworks of course we're going to focus on information security some are quality Frameworks so what is it within your organization that is which framework is going to match your business objectives governance determines that first and then the governance the the framework is going to set up the structure for your security program so we know what our goals are we're going to choose a framework that aligns with those business goals and then it's going to provide us the structure so you know how do we support access control how do we support risk management in our company how do we support physical security not the details of specifically what our policy should say but the guidance of what an information security policy should address the guidance of what we need to be concerned with with Access Control to Resources with physical security whatever those may be okay so ultimately a framework is sort of setting those individual elements that we need to accomplish and then our security program will satisfy the framework I hope this is starting to kind of float all right now if we look at uh some of the various Frameworks that are out there again we're really going to focus on the cyber security Frameworks primarily but think of support and structure and let's look at what we look at what we uh want to see here oops all right so the first to look at is coped now cobit stands for control objectives for i t now with control objectives for it that kind of tells us in the name what it does and the idea is essentially that we start with the business processes and the business goals and for every business goal and objective you should be able to break it down break it down break it down all the way to the point where you can see what information technology controls meet those business objectives in the same way you should look at any I.T control and be able to trace it back up to a business objective and the idea of course there is there's no such thing in our company of security for the sake of security is to meet the business goals so business goals can be traced down to security controls in I.T but also I T goals can be trained or I.T controls are traced back up to the business as a whole now covet is a is a is a massive framework there are a whole lot of elements to it you know it's not just a a quick list of you know here's a control that meets an objected so in this framework they start out by defining the principles of governance now again I don't think they're going to give you a list and say out of this list which is a principle of cobit's governance structure but I think it's interesting to look at copen knowing that cobit comes from isaka and to you know kind of look at this as a way of isaka saying this is what governance needs to do and this is how governance should work within the organization less memorization and more understanding the concepts okay all right the number one principle is to provide stakeholder value you really could say every organization is in business to provide stakeholder value now every organization has different stakeholders and different understandings of what the word value means right but that's why we're in business that's why we're doing what we do is somehow some way we provide value to our stakeholders so everything that's true for the business should be true for information security do we in Information Security provide value well we don't profit the company right I mean there are very few things I do in information security that creates profit for the company but I do a whole lot in the organization to reduce loss that's still value so an information security not only do I have to provide that value I have to be able to demonstrate that to prove the value that I provide and a lot of times in information security we don't do a great job of demonstrating our value right you know um I could see questions coming up on the exam that you know you've made your pitch to senior leadership and they are still unwilling to release funds to support one of your information security endeavors what could you do to change their mind show value don't go into the office of the CEO or or even you know your Chief Information officer your Chief risk officer your other officers don't go in spouting jargon and acronyms we go in talking about value we look at the value of what we're protecting we look at threats and vulnerabilities we determine the potential for loss we look at how counter measures can limit or lessen that potential for loss and can they do so in a means that reduces loss that gains value for the organization that's another thing that comes up over and over cost benefit analysis return on investment getting out of the basement and that mentality and talking about how it delivers value to the organization and is okay I'm not going to read all of these I think most of these make sense I do just want to point out this idea of a holistic approach to the organization that's also big on the exam and an important idea for us as well as the business you know I mean I I realize we're part of the business and that that really I almost misspoke there let me try that again I'm going to just rewind the holistic approach is important that all of us within the organization understand we're part of one body so it's no longer the I.T folks in the basement doing I.T stuff writing code and whatever it is the IT people do and the rest of the business trying to get our jobs done right it is part of the business information security is part of the business so information security is part of business decisions it's the difference between having Security on the menu and security being seated at the table and that's a very big difference so we don't want the information security team to be adhering to one framework while the organization as a whole is on a totally different framework we don't want a risk management methodology methodology for the company um in one way in the information security team following a different risk methodology we want the organization be treated as a whole we want alignment throughout the organizations with their strategies our Frameworks and our methodologies as much as possible so no longer these separate entities of the business and then i t i t is part of the business and the more we integrate business-based decisions with it vice versa the more complete our solution will be all right so those are just some principles most of those will make sense I would know what covet is I would focus on the mapping of organizational objectives to I.T controls and by the way when I use that term it controls what are those security elements that we Implement encryption Access Control physical security risk management uh policy you know those are the controls that we Implement so alignment of our controls to business objectives it's a big focus of cobit now one of the ways that cobit um gives us one of the um directives if you will that it provides us is to look at the organizational goals in sort of a cascading function so we have to start with our stakeholder needs what their objectives and needs are that then becomes mapped to Enterprise goals and those goals then become aligned to objectives you know objectives are how we reach our goals and those governance objectives are then cascaded down I actually need another little block here to show the Cascade down to um it goals and objectives so it's just exactly like what we've talked about is we start out very Broad and ultimately everything we learn from our stakeholders needs the prioritization allows us to determine the Enterprise goals which align with objectives which align with it controls okay now this next piece not testable at all I just went a little further into cobit just in case you know somebody wanted more of a mental reference for it but ultimately what the cobit framework looks like is they've essentially spelled out five domains and you see these domains over here in the bullet points and then their framework essentially says okay across these domains what are the the main elements that need to accomplish or that exist here so for instance if you look at EDM evaluate direct and monitor that's usually specifically governance so they set the framework they make sure we're getting benefits and that risks are optimized then that comes down oops let me jump back over here then that comes down to a line plan and organized so this is what we're trying to accomplish in the line plan and organize so what you can see is at each of these domains there are a set of responsibilities now notice they don't tell you exactly what you need to know to set up your Enterprise architecture that's not the job of a framework the job of a framework is to say you need these elements you need a strategy that's managed you need Enterprise architecture you need Innovation and developing your portfolio now it'll give you some guidelines for what an Enterprise architecture is or what a portfolio would contain but it's not going to fill in the details the details come from your program remember your Frameworks Broad structure for what you need to accomplish your information security program will tell you how to get there all right now the next if any of these Frameworks were testable it would be ISO 2700 1 and 2. now ISO stands for the international organization of standards and I know it's ISO but ultimately that's just collectively what they're known as is the international organization of standards and their job is or let me say it this way the international organization focuses on standardization of course hence the name because when we have standards we have compatibility we have environments that work together as opposed to proprietary mechanisms that can make configuration and management difficult they have a set of standards in the 27 000 series that are focused towards cyber security now what we'll look at specifically are the standards from twenty seven thousand one through twenty seven thousand five that's what we're going to look at right now there are other ISO standards that will come up later in the course but these are the ones just to look at right now primarily focusing on ISO 27001 and 2. so you can see just like what we're talking about is when we understand the risks of our organization that will help us determine what controls get implemented okay so when we talk about safeguards or counter measures those are controls so what ISO 27001 does and by the way this is the most common framework for information security I think that could that could be a question what's the most common framework for information security well it makes sense that it's ISO 27001 because it's an international standard so the framework for ISO 27001 uses What's called the pdca plan do check app and the pdca essentially says when you're working with an information security program or information security management system that's really a better term and that's the term that you'll associate with ISO 27001 when you're working with an information security management system you start by planning start with your objectives figure out how to best meet your objectives do says well Implement them then check you need to check and determine if what you've done is worked and if not you act upon it and that process is ongoing you're always planning doing checking and acting to make sure that your current your update and you're adequately managing risks because when it comes right down to its cyber security is risk management I mean it is right am I managing my cyber security risks adequately now this is set up so that you have 11 clauses all right then the second piece is going to provide um the controls so if you look at the requirements here are a portion of the requirements what do you have to do well you start off with figuring out the contents text of the organization and then leadership and then you get into supporting and operations and so on right you have these pieces that the framework has to support that has to Define for you But ultimately once you have these Define you have to have individual controls to enforce so we may prioritize data and we may have a classification scheme and we may determine that certain data needs to be protected a certain way but that's all very Broad once again we need specific controls to Define how so for instance if I look in isos 27001 framework there will be a control that specifies security policies and how I need to format what information I need to communicate my policies how I organize HR Personnel security asset management and I've got all the control families they're 14 control families that are there and starting with A5 through a18 won't memorize don't memorize don't memorize what I need you to memorize or to understand the most common information security framework out there is ISO 27001 it provides structure and guidance for an information security management system I don't even need you to know there are 11 Clauses or 14 control families I need you to know that it provides guidance for the entire life cycle of an information security management system it uses the plan do check Act it puts the responsibility of risk management on senior leadership it is also a framework to which I would certify so if my organizational objective is to improve customer confidence one of the ways we improve confidence in our customers is we get certified we have a third party certify us and say yes you know they are reliable in these elements so my business may get ISO 27001 certified I would be certified to ISO 27001 now the controls the controls are the second part they are referenced just in the appendix of ISO 27001. they are further defined in a document called ISO 27002. now this is one of those things I love to ask about on tests because at first it can be hard to figure out well what's one and what's two here's the deal the framework is an o1 the structure the broad definitions goals the details of how are in 27 0002 the controls that are listed over here in the appendix of ISO 27001 are further broken out and defined in much more detail in twenty seven thousand two so here's the way to think of it if the question asks you what framework the answer is going to be twenty seven thousand one if they ask you about security controls it's going to be ISO 27002. okay it's just from a test perspective if you're not testing these are documents that are worth delving into if your organization is looking to determine more of a formalized structure for protecting information security or for providing information security right I need maybe to take advantage of the work that's been done by others and figure out well you know what are the goals or what are the elements of an information security policy or Personnel policy or this that or the other so the framework and the controls you could say that ISO 27002 help you determine the controls necessary to be certified via ISO 27001 that's really kind of how they work together now when it comes to actually implementing the controls that's in another document called ISO 27003 and then 27 0004 gives you guidance on penetration testing vulnerability assessments ensuring the controls operate appropriately and effectively and then ISO 27005. is about risk management we look at that more depth in the sea risk class so bottom line we're going to continue after our break in looking at some of these Frameworks memorization isn't as important as understanding the concepts and the purpose you can always go download ISO 27001 now they charge for it but you can do that to get the details on Schism they may just say you know what would your what would be a certification your organization might obtain to inspire confidence in its processes revolving around an information security management system so when you hear that isms and when you hear framework ISO 27001 you need guidance on controls that would help you satisfy that framework ISO 27002. so don't get caught in the Weeds on this exam this is not an exam there are things to memorize but that's not really the type of exam this is it's much more conceptual it's much more understanding where you would go to find out what you're looking for so I don't need to know all the details of 01 27 000 27001 I need to know why I would use it so kind of think about it from that perspective okay how are we doing um as far as the material everybody's still awake still hanging in there I just kind of wanted to see if anybody has any questions or thoughts any comments anything you want to throw out there and remember today is a little bit slow because you have to set the Baseline you have to do the the foundational work um I promise you that once we're done with the Frameworks and information governance tomorrow's really cool because we talk about risk management then Thursday is awesome because we build our information security program and then Friday's great because we look at incident response and management and continuity and all this good stuff today quite honestly is a little slow but we're getting there and we're building and we're moving towards where we need to be okay so we're going to go ahead and take our our hourly break I'm gonna have us come back at 12 55. so please come back at 12 55 and we are going to pick up and continue and yeah go have a good break grab some coffee and come on back see you in just a few all right welcome welcome back um we had uh been talking about information security governance and I had had a question earlier about whether or not this training is going to include some multiple choice uh questions or you know some some test prep more um geared towards you know like a practice test or whatever for the exam sorry let me get back to where my slides were um and I wanted to show you I'm going to just share my screen dream for a minute and let's see here and I what I want to show you is I want to show you what you would get as part of cyprari's Insider Pro so bear with me just a minute so what you'll get if you you become a member of cybrary in addition to access to all the courses that we offer you're also going to get some access to additional learning content now if I go back to the screen system specifically is going to offer flash cards in it you see them simulation basically test prep review questions simulate the exam environment other courses like sis or net plus a plus SEC plus ethical hacking all those then will also include Labs so some real Hands-On meeting the objectives using simulation software so I'll just show you with one of the things that I like about this is if I go in and set up a custom quiz notice that we have the four domains and so I can choose okay I just want to see information security program or I can go in and say you know what uh let me make sure I understand and how to establish and maintain the program or make sure that I understand how to integrate requirements into organizational processes so you get a lot of power in order to customize the exam and their total of 191 questions for Schism Excel itself again each of the courses would also include exam prep many of them include Labs as well so this particular live stream event doesn't you know come with test prep software whatever but that would be of course available as an Insider Pro with cybrary would also mention without going into too much that uh let's see if I am where I need to be yeah so when you sign up and let's say you go and look at what's available from Schism so you can start off with doing a pre-test you've got the course itself which I happen to teach the Schism course and then practice exam how to go about it scheduling the exam as well as additional courses that might be helpful for you okay so that's as close to a commercial as you're going to get from me and I'll tell you the truth I'm a huge fan of cybrary I've been working with cybrary since uh they originally came out and began as an organization so I'm a big fan I love the fact that we offer so many resources so cybrary Insider Pro is going to extend beyond just what we have here all right did anybody have any other questions you didn't get a chance to ask and again I'm just going to remind you pop those in chat when they come up and I will get to them as soon as I can but you guys have have asked some great questions don't be shy that's what I'm here for anything I can do to help all right so we're kind of on the the downside or the back side we want to say downside but we're on uh the last leg of the tour if you will and so we're gonna continue marching forward with our Frameworks the next next framework to look at is gdpr now the general data protection regulation is what gdpr stands for and this is really important because of the fact that many countries have uh accepted and implemented gdpr into their National framework into their National laws and regulations in relation to privacy we here in the U.S do not have Federal privacy laws now we have particular laws and regulations or regulations geared towards specific Industries but as far as a national perspective on or directive rather on protecting privacy of information we don't have one so I think fair game for a question might be something to the effect of the U.S Canada and the European Union have decided to enter into an agreement defining particular regulations related to data privacy which country would have the hardest time adhering to the street and it would be the U.S because we don't already have Federal privacy guidelines so gdprs with the European Union has accepted in many companies within the U.S adhered to the gppr standards because they do business in the European Union and it's important to look at this from the perspective or from the point that gdpr gives the data subject many more rights than we do here in the states in the states we tend in in relation to business to sort of favor the businesses more so than the individuals about whom the data describes so in the European Union the data subject has a lot of Rights and if you look in the bottom left-hand Corner they have the rights to transparency they have the right to know exactly what is being collected about them and when they have the right to access the information that's collected about them and to request that information to be rectified or erased so we can choose I want that information erased and removed from the database um they have the rights to have automated decision making so you know if you look at this that's defined as the right not to be subject to a decision based solely on automated processing including profiling that's an important element because so much of what happens is just based on automation it's automatically going to trace this information or track this information about a data subject so as a data subject we have a lot more control under the regulations of gdpr as a matter of fact if you want more information on all the things all the rights of data subjects over on the right side in this black rectangle a little bit more information and there are more rights that are just in the bottom left the fines are increased um there is a lesson uh lower time or shorter time that uh an incident when an incident is detected is to when authorities have to be notified it's now under gdpr they have 72 hours to notify the appropriate parties um there are there is a lot of information that's specifically documented to be considered to fall under gdpr you know this is just a good kind of cheat sheet that hits at the gist of what the general data protection regulation sets forth and the responsibilities of the various elements you know who are the data players who's the data controller or the processor and so on and you see that in the middle so this is a good cheat sheet again you don't have to memorize but you do want to get the gist and you do want to also appreciate the fact that it's very significant that we here in the U.S don't have these Federal privacy laws it makes it much more difficult to have a consistent uniform application of security that data subjects can just expect or to be guaranteed right different Industries require different amounts of data and have different requirements different fine so it would be much more in the interest of data subjects and if we really do want to see changes make the information security it would be worthwhile it would be valid for us as a nation to look at adopting a federal standard like gdpr all right now as we continue on talking about Frameworks the next framework I want to mention is um the capability maturity model integration this is certainly relevant the cmmi came to us originally from the good Folks at Carnegie Mellon in the software the software engineering Institute and it was designed to indicate the reliability of an organization's project management processes in relation to software development it was designed as a way that the government could assess that reliability to get that third party assurance and the real Focus here anytime you hear this phrase maturity model the idea is that the more mature an organization's process or processes the better the product so I can inspect every piece of software that you put out but if you can provide documentation of your processes your procedures your testing your change control all of those elements and if I can look at those I determine the maturity of those processes and that gives an indication of the maturity of the product you'll produce that's just kind of an upper level the gist of what it is so like I said this was initiated with Carnegie Mellon but isaka now manages the capability maturity model integration they've taken that over from Carnegie Mellon and SEI so you know if it's another isaka uh framework that it's certainly possible that that would show up on the exam all right so originally designed for software development but it's really shifted from just development to information security and other organizational processes now here's your commercial for the cmmi I thought I'd throw that on there because again it comes to us from isaka so what are their goals you can see these goals I'm not going to sell you the cmmi but this is the the mentality I'd rather show you about how it works or what the idea is okay so if Suite of products that address five main domains or components that work together and ultimately what we look for with cmmi is we look to demonstrate a mature process now there are five levels of maturity that are defined for the cmmi starting at the very bottom which is initial all the way up to the top level of maturity which is optimizing I would know these five levels I think that is one of those things that you need to memorize um I don't think they're gonna you know describe an environment and say would this be level one two three four five there are a couple of buzzwords at some of these so I just want to you know kind of cover them so an organization that is just really kind of getting started so to speak I don't mean they're a brand new company but I mean they're just moving towards having formalized framework and formalized processes in place are likely going to receive a level one evaluation they're going to be categorized as excuse me in the initial level and so you can see the words unpredictable and reactive you know usually when an organization is seeking cmmi level they're probably not going for level one right yay we're unpredictable that's not usually what we're seeking other words associated with level one chaotic heroic efforts meaning we might pull it off but that means we're going to have folks working overtime and weekends and really just throwing everything they have at now level two is a step in the right direction we have our projects that are planned performed measured and controlled meaning we have a well-defined scope on our projects we have a schedule we have a a budget and we measure up against our Baseline configurations for each of those we are able to make changes to our projects and our endeavors as we move forward according to a specific process Now define a lot of organizations are looking to get evaluated at the level three so we're pro and don't just respond but we have proactive strategies in place we have organization-wide standards so regardless of the office or the location we have standards across these programs projects portfolios and they are defined they are repeatable quantitatively managed means that we are data driven I understand quantitatively how a changed my process impacts the pro the the product that I'm producing I have an alignment with stakeholder objectives you know we're getting there and then finally at the top optimizing continuous Improvement we're always looking for ways to perform the process better to make a better product to make us more efficient whatever our goals and objectives are so as an organization again if my business objective is to again provide more customer confidence then I might decide we're going to go out and get cmmi level 3. or if I'm going to increase market share if I'm going to do business with government agencies a lot of agencies require that I'm cmmi level three so that might be a driver to say hey we're going to undertake this framework that of course comes with uh like we mentioned the products and the guidance from isaka on how to implement this environment right so there's always a reason that our governing entities choose specific Frameworks always a reason okay okay don't spend too much time memorizing the Frameworks be able to tell me uh 10 000 foot view of what each of those Frameworks do why cope it why cmmi why um gdpr right so you don't have to get down into the nitty-gritty but have the gist of what those Frameworks do now almost always each organization that you're going to work with have external drivers for which framework they're going to choose and external drivers that are going to impact their security program and policies and procedures and so on a lot of times those external drivers are related to the law and we want to stay within legal compliance now I've got a question for you I just want you to think about is there ever a time I might choose to be out of compliance with laws or regulations and the answer is yes when we look at regulatory require requirements and we think about the possibility of being outside of those we evaluate them as a risk like any other risk there are some requirements or some regulations that we choose to be out of compliance with because the cost of compliance is greater than the cost of non-compliance so it's not like regulations are always the trump card for every decision you make right being out of compliance is another risk we make a good business decision now we have to consider all the repercussions and all the costs that are associated with that risk right so fines um you know and then if we're fined does that become public information does that cause the uh customers our customers to lose confidence you know we've got to look at things from a broad perspective but I just want to stress that being in compliance is another another consideration in the world of risk management now when we think about compliance there are all sorts of laws but like I said though there are no federal laws that specifically dictate a specific set of privacy controls for data the con the the laws and regulations tend to be directed at specific Industries we've got laws that address privacy usually protecting data subjects information intellectual property that protects Creations or protects what I want to say protects whether it's ideas or products products of the mind is probably a good way to think of intellectual property we have contracts that we enter into with our business partners and then of course always we want to uh be aware of civil criminal administrative laws and that really is part of due care and due diligence which I'll talk about in just a minute governance are governing entities governing bodies are are accountable for us being in compliance so at the end of the day if we're not in compliance from those fines penalties are even worse would be directed at our senior officers now I did just want to mention two terms before I move over and I wanted to mention the terms I don't have them on the slide now that I think about it I wanted to mention the terms do care and due diligence and demonstrating due diligence and do care is part of what senior leadership is responsible for so when we talk about due diligence that means becoming knowledgeable um you know if I go out and let me give you an example so let's say that I have some computers connected to the internet that get compromised by an attacker and that attacker uses them to launch a downstream attack on another company costing thousands of dollars worth of damage okay so they're my computers but I didn't have any ill intent and attacker compromise them and use them so the question then would be am I liable Maybe if I were to then ask you is it possible to secure a system in such a way that you can guarantee there would be no compromise can I do that and I really guarantee that I've built a system that cannot be compromised of course not and as soon as you think you can somebody's going to come around and compromise that system right so what can I do I can do what's right I can do what is industry standard I can do what's recommended by Consultants I can make sure I'm in compliance with laws and regulations and best practices right so in short I need to use due diligence and do care due diligence means that I take that information I or well I research that's the part where I go find out what are laws and regulations best practices industry standards I might conduct vulnerability assessments within my organization due diligence is the research do care means I act upon what I've learned with due diligence so due diligence is research do care as action so when we say information governance is accountable for compliance laws and regulations knowing what the laws and regulations are is due diligence making sure we're in compliance is due care okay so that's another element that's senior leadership is uh accountable for okay now other considerations data retention how long should I keep my data how long should I keep email messages how long should I keep patient information how long should I keep process data the answer is it depends what does it depend on well a lot of times it depends on what our policy is but our policy is often driven by external drivers again often laws and regulations so certain industries are required to keep certain types of data for you know one year seven years whatever now with that policy you know we take those requirements we look at stakeholder needs and we determine what our archival policy should be we don't want to keep data longer than we need to right the longer we keep data the longer we have to protect it the longer we're accountable for its security it then becomes kind of a liability right so we keep data as long as we're required to do so which should be determined in the writing of the policy and at the end of the data life cycle at the end of its retention then we destroy it secure destruction of data is important making sure we don't just click the delete button but that you know if it's data that's sensitive of any sort of nature maybe we overwrite the drive or we physically destroy the drive or we crypto shred which means we encrypt it and then destroyed the key the bottom line is we retain data as long as we need to usually based on laws and regulations at the end of its retention period we make sure the data is destroyed securely and then it's destroyed securely and consistency consistently regardless of where the data is located so sometimes we may have multiple copies of that at different locations at the retention at the end of the retention period we destroy it across all of its locations regardless of where the data is stored we also when we're storing data for a long time we need to make sure that we're archiving that data to media that we can access later on you know I don't know if for those of you that have been around for a while the various take formats that we've had you know or disk formats or you know just we want to make sure that if we're saving to a certain format of media we're going to be able to access that type of media in two years or five years or at some point in time when we need it so we just need to go back and evaluate you know when I first was in it we were using the floppy disks but then came the zip drives and the Jazz discs and the various formats of uh tape that we were backing up to so that's less relevant for us you know locally because many of us are archiving to the cloud so that becomes kind of the cloud service provider's responsibility but we need to be aware of that and make sure that data can be retrieved at any point in time that's necessary now as I mentioned various ways of getting rid of data once it's exceeded its life cycle we want to make sure that the data doesn't remain that there are no remnants of data so I've just listed out a few types here clearing purging physical destruction is obviously going to be the best way to ensure there are no data remnants but that's not always realistic we may need to reuse the media or we may be storing this data in a cloud service provider so that's not going to work either crypto shredding would be the more secure way um to secure data in the cloud and like I said that was encrypting the data destroying the key okay okay now one of the things also with uh that might drive our retention prop uh policy would be that uh potentially information that we store may need to be accessed by law enforcement may need to be presented in a court of law so we refer to that idea as e-discovery often that impacts email but again other types of communications electronic communications so we need to make sure that our retention policy would be driven by laws and regulations revolving around e-discovery foreign physical considerations now a lot of times this information security managers the idea is well I'm not in charge of physical considerations I'm not the person that chooses what building we operate out of and I agree with that however it's important for us to understand that our physical environment is of course a critical aspect of the security of our information so they're just a couple of little notes uh here in relation to physical security and even though this may not be your role it's important to kind of look for these elements and if we have a voice within the organization use that voice to make sure that our physical security doesn't provide a vulnerability in relation to our data now there is um a concept called sip Ted crime prevention through environmental design and this really focuses in on physical security controls and the idea behind sip Ted is that if you build if you build a facility to be secure it's easier than going back and securing an existing facility this idea secure by Design that's not just for physical security right that's software development that's system development that is you know build something to be secure as opposed to building it and then going back and going huh how do we secure this right so things like having a building somewhere where there's natural surveillance lateral Access Control you know prickly bushes under Windows that's a deterrent to an attacker territorial reinforcement making sure that um that the um uh the control and the access to that organization is well marked and then maintenance and management making sure that your building is kept up that it doesn't look like it's abandoned right that the yard is mowed and or the grass is mowed and that um you know there's a Fresh coat of paint again I don't expect these to be under your control but as we move more towards management and governance side we begin to have a greater and greater voice and making sure that we understand that physical security absolutely impacts our data security and that these are just some guidelines on how we can um create a secure environment from scratch okay some other considerations temperature and humidity control temperature around 70 degrees humidity around 50 percent uh you don't want too much fluctuation in either and what's been interesting is with temperature control one of the things is I'm seeing organizations have their data centers temperature has been increasing and the idea is after doing a careful thought cost benefit analysis that it's more it's cheaper to let processors burn up than it is to cool the entire data center I don't mean just left and right let processors burn but by increasing the temperature a couple of degrees I get a whole lot of cost savings from uh air conditioning and in evaluating the number of processors I lose many organizations are determining it's more or determining it's more cost beneficial to let the temperature creep up a little bit so all of these are risks that have to be evaluated independently what are the trade-offs for security what am I willing to trade off what kind of return on investment do I get what's the cost benefit analysis it's what this all of these considerations revolve around all right now as we move past those ideas the next thing our governing entities are responsible for is to develop an information security strategy well our corporate strategy is essentially going to say is going to direct us in how we accomplish our goals and objectives right how we satisfy the needs of stakeholders so in our information security strategy it's the same idea it's that broad direction that we're headed in you know I always think about uh security strategy with you know I like to watch football sadly I'm a fan of the Carolina Panthers I don't want to hear about in the chat one year it's going to be our year not this year and probably not next year but someday we're going to have a real year but anyway you know I think about um at the end of the second half at the at the end of the uh halftime the coach comes out and always there's a reporter that's out there on the field so what's your strategy for the second half of the game and the coach will say well we're gonna run the ball more that's going to open up their passing Lanes we're gonna you know try to catch them off guard on defense those are really Broad sort of General ideas that doesn't give away our Playbook right but it does prioritize it does sort of State here's what we're going to do it and generally speaking how so what happens is our stakeholders get that information or or our uh leaders take the stakeholder needs and requirements they translate that into objectives and goals for the business and then determine what the security strategy is that'll kind of give us that broad picture of how to get there now the strategy has to be in alignment with their business objectives again that's always relevant our strategy has to look at risks and prioritize decisions based on risk has got to deliver value the way we're doing this has to provide value to the organization I don't know if any coach that's ever come out of the locker room and said well our strategy for the second half is to Fumble more we just need to Fumble more right or I think we're just not going to try very hard right there's no value I've got to make choices even though here in my strategy they're broad I have to make sure that they're in alignment with where we want to go and that they're going to pay off right tried and true value delivery I've got to use my resources well and I don't say I'm going to have my quarterback run the ball every play and throw the ball and catch it himself I'm not optimizing my resources so the idea is these elements are true of strategy and my organizational strategy and my information security strategy should possess these traits what are we looking to do again our information security program it's going to give us the how governance is always telling us what big picture this is what we're going to do our security program on Thursday tells us how all right now an alignment with their business objectives again we've already talked about a framework right we said okay I'm going to become ISO 27001 compliant or cmmi level 3 or whatever that may be so am I already there am I already compliant with ISO 27001 probably not so I have to look at my current state where am I okay well we're here we're here we're not there we don't have this we do have that we look at our current state and then we have to look at our future State sometimes referred to as a desired state all right so what are the things that need to be implemented what are the the elements that we have to demonstrate and our roadmap is essentially again a broad instruction on how to close that Gap closing the gap between current state and future state right current state and desired State and our strategy should provide us a means of closing the Gap that's really what our security strategy is all about analysis where are we where do we want to be what do we need to implement to close that Gap so you can associate our security strategy you can associate the Frameworks as providing us with the means to close the gap so I think you'd see several questions about the cmmi framework should be used for and then the answer the only answer often that makes sense Gap analysis where am I where do I need to be what are the specific requirements that need to be satisfied to close that Gap now as we're developing our security strategy as governance is why are we making good decisions for the organization and an enemy to decision making is bias and bias is when we make decisions or judgments based on something other than logical rational thought and it happens all the time and everyone is subjected to bias so the best way to deal with bias isn't pretending it doesn't exist but it's acknowledging that it exists and confronting that bias and making good business decisions really critical as a manager to be of the way aware of the fact that sometimes I'm overconfident sometimes I underestimate the time it will take to do things or this idea of group thing or hurting that I tend to just take on the ideas of others or False Consensus I find people that think exactly the way I think and I use that to prove my point well of course I'm right 10 of my closest friends agree with me right they're not going to ask you on the different types of bias these are just some types of bias to kind of make it more real just the danger of bias and the fact that the way we confront bias is we surround ourselves with people that'll hold us accountable we surround ourselves of people with different backgrounds and experience that are willing to challenge us and we ourselves have the emotional intelligence enough to admit we might be biased to tackle it head on and to make good rational decisions that goes back to what we were talking about with governance one of the first principles of governance is fairness to make good decisions based on the facts all right we talked about Gap analysis and using those Frameworks for Gap analysis and the strategy the information security strategy is going to close that Gap we look at where we are maybe versus a framework that tells us where we need to be our strategy says here's how we're going to get there and again that's the responsibility of governance and then your roadmap is often a visual that kind of uh lends itself to communicating what your strategy is to others and you say this is just a you know silly little graphic but the idea you see the broad points within the roadmap not the details that comes in our program and our goal there is to close that Gap so this is going to be the basis for our program and our security program again is that action is where we take action to get these objectives okay or I can develop my security pro my strategy I want to figure out like I said where we are and many times that's going to require I take it use a SWOT analysis strengths weaknesses opportunities and threats so how we're going to approach closing the Gap we're going to maximize our strengths we're going to minimize our weaknesses we're going to try to take advantage of opportunities and minimize our threats so often we do an assessment a SWOT assessment to determine what those are because we want to make sure that that Gap is is that we're closing the Gap in the way that we're most likely to be successful okay and I think this is a good graphic that just what are the elements of SWAT that you have to consider other ways we make decisions as managers uh project leaders program leaders managers we could use a balanced scorecard or scorecard and the idea is that benefit is not always just profit right certainly we like money we like to profit we like to see the financial benefit and that's one area of evaluation on a balanced scorecard but we also have to look at how it's going to impact our customers is it going to improve our customer confidence ratings what are our internal processes so when we talk about our internal processes do we have the internal processes um how will they be how will they benefit from the changes we're making are we going to operate more efficiently because that's certainly an incentive or that's certainly tied to value and then also how can we increase our knowledge base how can we allow our employees to develop to learn from what we determine you know do we have that opportunity for growth so a balance scorecard is all about looking at Value from different perspectives from Financial from customers from process and from learning capabilities and this is what a good project manager looks at to determine Endeavors that they're going to undertake but also again tied back into the strategy is our approach going to give us benefit not just for profit but maybe from internal perspectives maybe from customer perspective whatever that may be okay and again we look at those elements and we develop our roadmap we determine what our Target is and then ultimately what the tasks are prioritizing our methodology setting this up as a project so again just another example of uh this just being a template but an example for a road map that you might create you define or to communicate your security strategy with your team all right and then the last little bit here talking about organizational culture um just out of curiosity just want to pause and think about just ask you to think about the culture particularly the security culture of your organization and I've worked in organizations that has a very security-minded and focused culture and I've worked in organizations that are very lats in their their security culture if you will so the question being is what's the difference like who drives culture within an organization so it's senior leadership if you want to impact a change in organizational culture that has to come from the top that's a really important idea on this exam right if I walk into your organization I can get a feel for your culture within a minimum amount of time and by understanding your company culture I can pretty quickly figure out whether or not senior leadership in your governing entities whether or not they have buy-in with security because that flows downwards so when I go into a company and multiple people are walking through the security door on one card swipe or um there's no security desk where your visitors have to check in or people walk away from their laptops with their access cards still in the reader or don't lock their systems that's a real indication of the organizational culture and ultimately that gives me an indication of the commitment from senior leadership to security so culture comes from a lot of different places leadership though has the greatest input impact on culture now we can change culture within the organization but it's always so much easier to start with the security-minded culture than it is to come into an organization and change that culture but if that's our task and certainly you know Implement initiatives try to enhance working relationships between teams but you're always going to have these variables with culture as well but really the main impact on culture does come from senior leadership yeah so what we're looking for information security culture this first bullet point I like this security awareness and behaviors are seamlessly integrated into employees daily operations as well as a strategic executive leadership priority I'm just going to pause I just want you to to think is that the organization that you work in is security awareness are employees behaviors seemingly integrated with a focus on information security or security as a whole and I think most people would say maybe in some places I think other folks can kind of give a definitive yes some folks can give a definitive no but I think the majority of folks would say maybe you know yes here not so much here we've got some room to grow that's exactly where this Gap analysis and security strategy come in we know where we want to be we want to check off these bullet points these first and second bullet points we want a security culture where we are aware it's just what we do it's how we make decisions well that's not where we are well where are we well we do check IDs of visitors you know we do these things that's where we are where do we want to be how do we close the gap that's our strategy and our information security strategy also is going to include how we communicate to the team our expectations through policies and procedures and then the enforcement of those policies and procedures also is going to impact culture we want employees to make good decisions we don't want employees to be bound to a list of do this don't do that because any time there's ever a variation from that list an employee say well you didn't tell me not to do it we want employees to make good sound decisions based on an understanding of security and of risk management I'll never forget this I one of the first classes I taught way back in the 90s actually back in 95 I taught a class of um of nurses how to use Windows 95 we were coming from Windows 3-1 so that gives you a little bit of a date there but it's mid 90s and I spent the whole morning teaching the miracle of the right click and the the double click and the you know just the different patterns of you know using your mouse and it was not a very Advanced group I mean it took a while to get tap tap for double click you know back in the 90s so many people didn't have big computer skills um so if I'll get not a profoundly computer savvy group but at lunch at lunch I was totally goofing off and I went to um eBay I was going to eBay I can't remember if I was buying something or selling something um so at any rate I I was just goofing off and I went to eBay and I got a message that the hospital proxy had blocked my transaction or my connection and I was like I don't care I'll just go at lunch or you know just do it later and ultimately uh I wound up one of the nurses passed by and she said oh Kelly go here should I go to www.proxy7.com and type your request and then you'll be able to connect so here's someone that didn't know right click from left click yet she knew well enough to send my request through an anonymizing proxy out on the internet so that I could go to a site her security team had blocked blew my mind you know and the idea is she didn't think she was doing anything you know she was following the rules and there was no rule that said You shall not go to proxy7.com so instead of just given a set of rules in our security training we want to help educate our users to understand the threats that exist the vulnerabilities inherent to our line of work and that we make good decisions that are thoughtful in alignment with our policies and that's a lot different from just having a list of do this don't do that all right just had a couple of uh quick questions about overlap between cissp and cism I think I'd talk about this a little bit earlier uh risk management information security and the philosophy of the importance of policies and procedures um uh the alignment with business objectives those are definitely overlaps and then Abdul uh how many sessions there are four sessions one session each day somewhere around three to four hours um that will cover the four domains of the system certification all right now last informational slide here best practices start with culture build a secure culture train your organization your employees to focus on security again not a list of things to do and not do but how to think and how to make decisions that are risk aware understand the value of what we're protecting figure out what threats exist and the vulnerabilities that we allow you know poor Behavior weak passwords unpatched systems all those vulnerabilities that exist help them make good security decisions that find the right amount of security not Overkill either right but the right amount of security and we'll talk tomorrow about what is the right amount of security and the right amount of security is a balance between protecting our assets and keeping the business moving right meaning efficiency ease of use user acceptance backwards compatibility tomorrow focuses on that balance now also like we said getting senior leadership on board ideally senior leadership's on board right that's not the case many times so our job as Security Professionals to get the ear of those decision makers whether it's the CEO the CFO whoever those parties are that can support our endeavors and helping to communicate our value we'll talk a lot about value tomorrow okay so my friends these are the main elements from domain one like I said we have a total of four domains we'll do one domain each day for session of between three and four hours so we are wrapping up domain one and what I wanted to do was to direct your attention to those topics ideas Concepts that are most relevant under the system certification exam understand the concepts and the requirements for information security governance why we need governance what the role of our governing entities are what their responsibilities one of the big responsibilities taking stakeholder needs prioritizing them and making sure that we have well-defined goals and objectives governance chooses a framework that will help us accomplish those objectives if you're in the government you may use nist framework cyber security framework you may use cmmi or ISO 27000 but governance determines a framework that's integrated throughout the organizations make sure we're in legal compliance or we address those risks based on the standard risk methodology that we choose again we'll look at it tomorrow then we determine what our security strategy is we analyze where we are versus where we want to be and figure out how to close that Gap and ultimately we want to make sure that our culture supports the direction we're headed okay now I have a question about um being a data owner I'm not 100 sure that I'm following the question from Stuart what if people don't have the appetite for being a data owner would that be don't have the knowledge or understanding for being a data owner or I don't know if you might follow up that question but just to reiterate the data owner is accountable for the protection of data they make the decisions on the right amount of security and they do so in conjunction with the security team as a member of the security team I can advise but the deciders are the data owners so they have guidelines that they work within right and they have requirements that need to be met but it's the ultimate responsibility of the data owner to ensure that their resources are protected so they're responsible for evaluating monitoring and maintaining the security controls that needs to be clearly defined so the data owner doesn't just come out and say uh this is top secret data or this is high value data they have a data classification strategy that they can use for guidance that classification strategy will say Okay data owner what criteria does your data need all right then that is going to be categorized as medium uh have a security category of medium security and based on that security category here at the security controls that you should choose to implement so you know I I kind of went through that quickly saying oh the data owners the decider but what's so important and part of our security program that we'll look at on day three Thursday what's so important and so necessary is that we have the policies and procedures in place so that data owners can make good choices and the appropriate security can be implemented okay folks we have indeed gone through the material of domain one so my question to you do you have any questions is there anything that I can answer for you or make a little more clear or anything I can help with all right so domain one information security governance not a really long chapter that's appropriate because it's only 17 of the exam right so the other three chapters make up the vast majority so this is a little bit shorter than some of the other chapters it's important to understand Concepts Concepts Concepts Concepts why we need Frameworks why we do Gap analysis what the security strategy does and how the roadmap illustrates it what how this governance sets out our goals and objectives and then we're going to find a risk-based approach for how to accomplish those goals and objectives across the next two days and then day four which is Friday is going to tell us how we're going to address incidents or things with negative impacts on our environment all right so a question I often get is is this enough for me to pass the exam well of course it's not enough for you to pass an exit in order to pass the exam you got to take this information and study it learn it understand it and one of the best ways to determine if you really have learned it you really understand it as well as teaching your mind to take this material and apply it best thing I recommend is to do some review questions some exam prep like I said cyberries Insider Pro will give you access to our exam prep database there are other exam prep databases out there I'm not going to tell you cyber is the only organization that has exam prep databases so whatever I would always recommend doing some practice review questions try to get through 100 or 200 questions before you take the exam so we can all kind of sit and listen to a lecture and go uh I get that that makes sense okay but what we want to be able to do is to make sure that we understand it in depth and can apply it and the best way for that is to get your review questions so of course you know I'm always going to say go with cybrary I think they have great material great exam prep but if you're not going to make sure that you use some exam prep to kind of solidify what we know okay and guys got to tell you the truth I know today was a little slow because it's Frameworks and compliance tomorrow I think is fantastic I think it's something that everybody can benefit so make sure you get your entire family gathered around the computer tomorrow because we're going to talk about risk management including identifying risks assessing risks responding to risks and then continuing to monitor for risk if I were to force every employee to attend one module of schism Beyond a doubt it would be on risk management if we started making good risk-aware business decisions the world would be a better place and if you elect me as president I will make sure that happens all right so guys thank you for your attention I'm so excited that you spent uh multiple hours of your day with me um ah real quick question actually I'm gonna wrap it up and that anybody that wants to stick around for a little question and answer stay with me but if you were here for the lecture and need to get on about your day have a great day I hope you come back tomorrow and um good luck with all your studies so I did have a question about you know the sad reality and it is a reality that many organizations don't prioritize security within their organization they don't put a lot of effort time energy so the reality of that is that they're you know they're opening themselves up to liability to loss to all those bad things we know that can happen but how do we change their minds well sometimes you can't so the first thing I had to learn is sometimes I'm speaking with to death ears I'm talking to deaf ears and I have to tell you I have left organizations because of that you know if a company hires me and yet doesn't take any of my recommendations they're not getting any value from having me as an employee and I'm not getting any satisfaction from working there I'm not telling everybody to quit their job but I'm saying I want to work in a secure a security aware organization I want to work in an organization that values security that cares about their assets and takes step to protect steps to protect them the second thing is if I don't I have to make my peace with that I have to make sure that I'm not on any decisions as the person with the signature if you know what I mean so I can advise someone till they're blue in the face what the right thing to do is but they can still choose to do differently I just want their signature saying that they made these choices usually when I have recommendations or I do a vulnerability assessment or recommendations for improvement in the environment I'll often offer two or three solutions two or three suggestions you know here's your top cost here's your low cost here's your middle sign on or here's the option just to reject my solution altogether I want leadership to sign that paper I don't want it coming back to me a poor decision the other thing that I can do is I can control my immediate environment I can control my team now we approach security how I enforce how I determine what's right and how I enforce and create a secure culture within my environment maybe it's just my team and I make my peace but that's what I can do and then the other thing is I continue to try to get the ear of decision makers and when I run an information security project when I set out my goals and objectives those goals and objectives should be business goals and objectives not I.T objectives so I'm not looking to you know I'm going to upgrade the existing infrastructure okay my goal isn't anything other than to help the business so the way I frame those goals on these projects I'm going to reduce man hours lost due to outdated equipment and I'm going to reduce those man hours loss by 10 within the first quarter again I'm just talking off the top of my head but what I'm trying to say is when we run these projects our project should have goals and objectives directly tied to benefits to the business and so those goals and objectives need to have clearly defined value expectations those are the objectives of the controls the objectives of the project and when I have a successful project I can go back and say look at the value this project delivered not in terms of oh I upgraded to an ASA 5000 but that I have reduced man hours lost in the first quarter by three percent from last year based on incident response reports or whatever so I could have just made that a very quick answer and said talk to your senior leaders in relation to the business as opposed to Tech threats talk to them about cost benefit talk to them about return on investment prove value to them right that was a tremendous question and that also is a question I think you'll see on the exam multiple ways it'll be phrased but that idea is sometimes senior leadership doesn't get it how can we help get them on board and I love uh I love that question are there other questions all right now tomorrow if you didn't get a chance to ask your question or you're like me as soon as we close the the room you'll think oh why didn't I ask her this jot it down I'm going to start off tomorrow with a quick review of today and then I'll pause for any other questions that you have that might come up so if you didn't get to ask your question today no sweat we'll talk about it tomorrow okay again thank you all it has been such a pleasure to get to spend a little bit of time with you and I hope to see everybody back tomorrow for risk management 101 have a great afternoon and we'll see you soon take care all