CCT 078: Security Operations Concepts of Need to Know, Least Privilege, Separation of Duties and More! (CISSP Training D7.4)

Oct 09, 2023
 

Do you really know who has access to your sensitive data? Let's unravel the veil of cybersecurity, highlighting a ransomware incident that cost Caesar's and MGM a staggering $15 million. Tune in as we explore CISSP domain 7.4 and the critical need-to-know principle that insists on access to sensitive data only for those who genuinely need it. We'll also touch on the invaluable resources available on CISSP Cyber Training that can aid in your exam preparation.

In this fascinating dialogue, we venture into the world of zero trust architecture, least privilege principles, and identity and access management. We reveal how these strategies can fortify your company's network. We'll also discuss GRC, an essential part of SAP that assists in managing user access and the division of duties. We walk you through the financial industry's use of instant approval for high-level transactions and the concept of just-in-time privileges. 

Ever wondered about the risks of granting too much privilege? We'll break it down for you. We'll also shed light on the role of a managed service provider during a security incident and the importance of using pre-set, securely stored credentials. Learn about situations where temporary privilege elevation becomes vital, such as software patch installation, data migration, and compliance auditing. And let's not forget about time-bound access, multi-factor authentication, and separation of duties. So, strap in and prepare to arm yourself with vital cybersecurity knowledge.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

CONTENT:

 

TRANSCRIPT:  

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning it's Sean Gerber with CISSP Cyber Training and I hope you all are having a great day today. Today is we're going to be talking about some awesome things around the security operations as it relates to the CISSP and it is going to be super exciting. So I hope everybody's done well this past week. One thing I wanted to bring out to you all that just had one of my folks just reach out to me. Let me know they passed the CISSP the first time, so that's a positive and Joe is amazing job. He did a great job studying for this and one of the key points that he talked about was how much the podcast really contributed to his being overall ready and prepared for the exam. So between the podcast and then, I've had another individual with our CISSP Cyber Training in the overall training just passed as well, so we're getting a lot of positive feedback as it relates to the podcast and the training. So if you haven't had a chance, obviously you're listening to the podcast. So that is your first step in being a positive move forward on your CISSP. The second positive thing is the fact that if you go to CISSP Cyber Training, you'll be able to gain access to all of my training that's there in one spot that's collated for you to be able to access at any time. So again, cisspcybertrainingcom you can go there or you can head on over or just listen to the podcast and we'll use that to help you get what you need. Okay, so before we get started, one thing I also want to bring up was around the Caesar's attack that occurred back. Well, caesar's an MGM that just occurred a couple weeks back and more things are coming out of this, obviously from what the amount is, the people that did the attacking and so forth, but one aspect to keep in mind is that they were saying that well, I should say this comes out of CNBC and I've seen this a couple places online that they paid out the ransom Caesar's did for $15 million, and the interesting part around that is we're going up and having more ransomware attacks. The amounts are continuing to climb and $15 million is absolutely mind boggling how much money that is. And the fact is that they paid it for nothing, right? You get nothing out of it other than the fact that you pay $15 million and then you have to write it off on your taxes, but short of that, you still don't get anything with it. So it's just incredibly crazy how much this has affected that environment. And I guess they demanded the cyber crime that did this ahead of time had demanded $30 million and they came down from $30 million to negotiated settlement at $15 million. So they're saying that right now they attack itself is probably going to be in the upwards of anywhere from the minimum amount would be $80 million, which I struggle with that because if you already paid out a ransom of $15, it's going to be hard for you to get at least amount as $80 million, and I've heard it's on the upwards of possibly $200 to $250 million. So just because of a ransomware attack, that is what's lost from the ransom opportunity costs involved with people that can't work, the fact that you're going to not have to read image and or put in new equipment and, just just plain out lost revenue because of the situation. So it just blows my mind where we're at today and it does not pay to be the good person, it pays to be the criminal, and it'll be interesting to see where this, where this goes and if the FBI is able to get this, these folks, at some point in time. Because the sad part is is, yeah, the money is great for these individuals and they don't care, but there's, they now have a, there's somebody gun informed or somebody looking for them. So bad things on that regard. But before we will, as we get into the CISP piece of this, you're going to be learning how you can help protect these individuals, and I think that's an important factor for you to keep in mind is all of the information that you're learning here, as the CISP is going to put you in a position to better help the companies you work for and create value and therefore, you know, unjustify your, your paycheck, but also to provide some, some help for people that need it, and I think that's one of the main reasons why I get into see into the security space of this is just because it's I like to see people helping what, whatever information I can provide, giving them some sort of value out of that. Okay, so let's get into the security operations concepts and practices. So, as we go through various pieces of this, each of these are focused on. This is on 7.4 of the CISP, so domain seven and basically around section four. If you go to CISP cyber training, you'll be able to see section four that I have. This is kind of a supplement to all of that, just as the podcast. They kind of build upon the overall training that's available for you. So, as we get into the need to know principle, this is what's going to be the concept around 7.4. And the need to know is basically you need to know, as, as you're limiting access to the sensitive data, who, expressed explicitly, need it. So, like in the case of a security individual, you need to know that information. So therefore, you're granted access. If you don't need to know that information, then you should have no reason for that access. And this the behind the scenes on this, is that it's going to take be very important that you understand how, what is the data you're trying to protect and, overall, who are the right people that need to have this access to it. So when you're I'll use an example of the military and I kind of come back to this routinely but when you're dealing with the military and they have secrets, and so, whether it's the Chinese, whether it's Israeli, whether it's French, you have secrets, and Sean needs to know those access to those secrets, so if he needs to know that, then I will grant Sean the access that he or and then or Shauna does it needs. The point comes in through, though, is that you, as a company, you have to have a data custodian. You have to have that individual needs to understand the data itself and what is who needs to have access to it. Then that data custodian has to provide that level of access to the individual. Now, it may not be that person specifically, so he may have a designate, but that person the data custodian, needs to truly understand what data they're trying to protect, and then how are they going to grant the access for that data? Now, you'll need to map this data, and that, where it comes into is that you understand all the classified data that you need and all of the wording behind it, all of the labels that you would tie to it, and then you need to map that to where, to whom needs it and what are the roles that they have that need that access. So, as an example, we'll say that there is a data processor and this data processor is a financial data processor. So this person's role, or that that role specifically, should have access to, let's say, your balance sheet, your general ledger, all of those financial pieces this person should have access or this role should have access. Once that role is defined and that level of access is defined, then you put the person into that role and then that role will gain the access they need to have. Now, when they come to you and they say well, you know what, I need access to the secrets on how you make Kentucky Fried Chicken. Well, if they're in a finance role, why do they need access to the secrets to make Kentucky Fried Chicken? They don't. They don't need that. All they need to focus on is the financial aspects, so they don't have a need to know the recipes. So, therefore, because they do not have a need to know the recipes, they will not be granted access to the recipes for Kentucky Fried Chicken. It's really basically that simple. But what you have to do is you have to really understand what is the data in your environment and what are you trying to protect? Now, this, when you're dealing with this principle of need to know, you need to also understand the zero trust architecture and the principle of least privilege. And we're going to get into the principle of least privilege but to kind of go into zero trust. What does that basically mean Is zero trust is do you trust the device that is on your network and IE? Do you trust the account that is on your network? And the account and the device are tied to the individual. So if you go into zero trust world, where Sean has access to this company X and, as Sean wants to work on company X, we have to make the assumption that Sean should have no trust and we should limit the trust that he has so that he can only touch the things that he needs to actually touch. And if you have the zero trust architecture in place, where you don't trust any of the devices in your environment and you have a proper access controls that are limiting what the people can gain access to, then what ends up happening is you are put in a very good position to protect your company's network and their information that resides within their network, and those are two key factors. But what happens where all this breaks down is people go I've got to get the job done, got to get it done, no matter what, and they start giving people access to whatever they have to have. So they'll open up access, going. I don't know why Sean can't gain access to this information. So you know what? Let's make it available for everybody. No big deal. We've got to get this done. We'll come back and fix it later, so just open it up. So that's one of the big problems that we run into. And if you could, then you assume also, if you don't build out this architecture of zero trust within your network, now you have all of these devices that are starting and when you first start off, especially if you're working at a small company, maybe their network is pretty tiny, but as their business grows, their network gets bigger and bigger and bigger. And because of that large size, then next thing you know, when you try to implement zero trust, it just doesn't work and it falls down. So it's important that you understand again the concepts around zero trust and the apart about principle of least privilege, speaking of which we're going to roll right now into principle of least privilege. Now, least privilege is the practice of limiting users access rights to only the strictly what's necessary for that specific task. And so if you have a, the task about the general ledger and we talk about that, that is what. That's the only thing that that role is allowed to do, and so that is the least privilege. Or if it's able to get to hold a balance sheet, it's only those two things that it have has access to, and therefore that's where it's limited as well. So it's important that, as you get go down this path, you need to set up your roles specifically like this, and it comes down to the overall data mapping, like we mentioned above. Now, the other part that rolls into this is when you go into I am roles, which is your identity and access management. If you put these identity and access management solutions into your environment, that is another way to help you limit the access of individuals within your organization, and these identity and access management tools can vary. So you have your standard active directory, which would be set up to allow access into your environment. That to also understand. Active directory is actually a security type tool, but it is used for access of different equipment or different systems throughout your network. But there's also other things, such as single sign on. There are multi factor authentication, which is tied to I am and that's tied to the individual person itself. So there's these different types of aspects you can put within your organization to help limit the amount of access an individual would have. Now there's also we could, under a kind of a sub aspect of lease privilege is just in time privileges. And when it comes to just in time privileges, it's good to understand what are just in time privileges. And this could be a situation where maybe an administrator needs to perform a maintenance task on a critical server, but you don't want that administrator to be using their administrative controls or credentials on a everyday basis. You want them to only be using those for that specific need, just in time. So just in time for them to go and do what they need to do. We want them to use their credentials for that, and so you also want to add on time. On top of that is the different levels of multi factor authentication. So as you layer in the admin credentials, so you have the policy in place that Sean is only going to use his admin credentials when he needs them, just in time to gain access to this critical server and on top of that, sean has to use multi factor authentication to gain access to that server as well. And then on top of that, you would add a potential, another control where there is a no-transcript, a secrets or password vault in which the information needs to be pulled out of to be used in that situation. So all of those pieces can be of extreme value as you're trying to add layered levels of controls onto that specific server. Now, another part that you can look at when it comes to just in time is around the financial industry. You can provide some level of instant approval or additional approval that might be required for a level of a high level transaction. Now I will give you an example of this is that I deal with SAP, and SAP has financial aspects that are built into it. Well, there is a product, or basically a subsection of SAP, which is called GRC, and it's your governance, risk and compliance, and what it all basically boils down to is it is what defines how people can gain access to the system, and it deals into separation of duties. It deals into just in time approval. It deals into the fact that Sean should not have access to the general ledger, but should have access to the balance sheet. That is all done through that product called SAP or through GRC, I should say. Now I bring up those two pieces as an example, but there's numerous types of aspects out there that are very, very similar, that utilize this GRC or this governance, risk and compliance kind of aspect to providing the access to an environment, and so it's important for you to understand that piece, just to go that you need to have these different levels of approvals and protections built into your approval process. Now, again, it is an important about SAP and you're not going to be. I mean, maybe I'll ask you a question about SAP, but it's more along the lines of the GRC model of do you have an approval process in place? Is there different controls in place to ensure that those approvals are done correctly, and you have an audit trail to ensure that if something does happen, you can go back and look and find out what did actually occur. Back to the high value transactions. The nice part is that you can provide that level of access immediately or you also can revoke that access immediately and you may not want to allow those transactions to occur. Another part that comes into this that people don't typically think about with just in time is around the incident response process and if you're a team member needs to do some level of just in time privileges to help mitigate a incident response situation. If you don't, you think you have to plan for is if you don't have that level already built out. You know? Basically what I'm saying is if you don't have those credentials already set up and I call that an in case of emergency break glass kind of situation where you can then call upon those credentials to help you If you don't have that already defined, that makes it extremely challenging to deal with an issue, because now you're having to go out and get those created while you're also trying to have to fight off an incident that may have occurred. So, as you're working through this, an important factor is if you have a managed service provider this is someone who will do this work for you. Make sure that you have defined that with your incident response process already. If you don't have that and managed service provider who does this on your behalf, then you need to make sure that you have those credentials already defined, already built and already put in a safe location so that in the event of an incident, you can call upon them just in time. Now there's temporary privilege of elevation. That will occur also that when you're dealing with these various accounts. And how should you handle temporary privilege elevation and so, as we keep wanting to say, escalation? But it's elevation and one of the aspects you're running to in many places is the elevation of privileges and they get elevated too much and therefore it causes a lot of issues. But there's times when you may have to use this temporary privilege elevation to gain access to systems, and where this comes into is software patch installation. There's basically three areas there's software patches, there's data migration and then there's compliance auditing. Those are the three ones that we'll talk about as you are dealing with privileges that you have to elevate. When you're dealing with software patches, these may have to be in quickly and you may therefore have to elevate your credentials, or the credentials of whatever account that does that, to a higher level on a temporary basis to get those patches done. That's ideally what you want. You do not want a service account that has elevated credentials that is doing this on a daily basis. That is a bad idea. You want to have the ability that, if a patch goes out, you use these credentials on a limited basis and they push the patch out to those systems. Therefore it limits the blast radius of something like this getting compromised. So if it gets compromised and it's only used in certain situations, one, it gives you an indication that it has been compromised, ie it's being used and it shouldn't be being used. Or two is that if those credentials are potentially rotated and kept in a password vault, now, once that is used and they get put back into that vault, the credentials are rotated and therefore it's useless. So there's lots of additions that you need to consider when you're dealing with the temporary privilege elevation. So some risks that come along with dealing software patches is the fact that you may have an incorrect patch. I've had that happen various times where the patch gets pushed out and it's either incorrect or corrupt. You need the ability to have these elevated credentials to be able to undo that or unwind what you put in place. Now we're going to do a data migration. When you're dealing with elevated credentials that are temporary in their nature, you may do this to move data from one location to another. Seeing this happen when you're doing a migration, let's say, for example, you're on a SharePoint environment or a file shares where they're stored. In these file shares that are all gobs and gobs of folders full of data. Well, you want to move that to, let's say, sharepoint? Well, you'll need to have a data migration plan. Well, I, as Sean Gerber, as a basic user, should not be able to move data from one location to another location unless it's specifically for me. So, therefore, you may have to elevate Sean's credentials, or you may have to have an elevated credential, such as an admin. Do that work? And that's where that, when you're using least privilege, that kind of access is not just given to everyone. You have to actually go out and request it. You have to then gain access to it. It is limited. You then do the data migration, then you put the account back and then, at that point in time, it's either destroyed or it is the password is. Go ahead and recycled Again. It's really important that you revoke the privileges once you do these data migrations. I see this time and again where these might. When you're doing moving data, people will actually forget about it, and when they forget about it, these accounts sit stale for years. They're a great method for hackers to leverage and take advantage of those. Now we're going to compliance auditing again why you need temporary elevated credentials. So auditors have special tools that they use within an environment to basically do an assessment of your environment, and those tools may require elevated access to be able to provide the information they need. So, as an example, you have a scanner and the scanner does scans on external websites. Well, that's fine, but if it's that's all it does, it gives limited amount of information. But you may have a scanner that does an authenticated scan which provides much deeper level of detail around those servers that are actually hosting the website. Well, you would want to use an elevated privileges for that scanner to be able to do a an account that has some level of understanding of the network or of that system. So these elevated credentials would then do an authenticated scan against it and then provide much more information that could be used in the audit. Alright, some additional considerations related to least privilege is the fact that we talked about adding MFA to it. We talked about that. You need to have some level of separation of duties, which means Sean shouldn't have access to this, but Bill can. One other thing you deal with is time bound elevations. We talked about a little bit to this, alluded to it where you have it available only for a small period of time, maybe just a couple hours or a couple days. They should be limited and should not be completely allowing you to do it for a longer period of time. You need to have monitoring and logging in place, multi factor authentication. You need to have some level of access review so that you're going back and looking at those files. It's an important part to understand what actually you're dealing with and then that you can go back and see that the what actually occurred. So if you wanted this account to only touch this piece of it, then what would end up happening is that you want to do a review of it to make sure that that's all it touched was that piece of it. You have to have documentation around this and then, last thing, you want some level of emergency revocation in the event. You have to pull these credentials on a quickly, in a quick manner. Okay, so now we're going to talk about separation of duties and we kind of briefly alluded to it a little bit where you're in a situation where Sean's duties for his role are the fact that he is the controller for an organization. Well, sean should have full access to the financials of that organization. But Sean's duties are Bill's duties, does not have, is not in that role, so he should not have that level of access. So, based on his duties, he would not have full financial access to the organization. And again, this really is a strong factor on any sort of financial controls where separation of duties comes into play. Now I will tell you the downside of separation of duties is the fact that it can get very complex very quickly, and this is the part where I mentioned around the GRC of SAP. So there's separation of duties that are tied to those accounts. When you're dealing with this SAP environment and there's many out there there it's an what they call it an ERP, so it's an enterprise resource planning type environment, and there's many out there. Their SAP is one. I think Microsoft has them, they're they're just any business that grows, uses a lot, uses this as the brain to make their operations work. The problem that you run into when you're dealing dealing with separation of duties and the financial aspects because these are called out in different regulations, such as Sarbanes-Oxley is the fact that now Sean has this, this can only work in this area and Bill can only work in this area, and then, as this expands, it becomes very complex and it ends up running, in some cases, can become you actually waste, or becomes destructive, related to the financial aspects of a company, and one example that I've heard of and I don't I've never seen it myself is where you're trying to focus on specific financials and you don't have visibility because of separation of duties. Well, it's really then you have to reach out to Bill, who's then going to look at his financials or her financials, and then, from there, they're going to give you information back so that it'll help you make a better decision. The problem with that, then, is is the fact that they may not translate the information correctly to you. You may not understand the information correctly, and so, therefore, you could give potentially wrong advice or wrong information, and that is where the segregation of duties is very tight. Where it gets out of hand, obviously, is you go, bill needs access to this and you're like okay, well, I'll give Bill access to this financial statement, but you know what, rather than have Bill bother me in another week for a different financial statement, I'm just going to grant him access to all the financial statements. Well, now Bill has access, or Bill's account has access to much more information than he needs and so therefore, because of that, he could take the data, ship it out, send it out and give it to a competitor. An attacker could get his account and gain access to this information. A lot of things could go wrong by increasing a person's scope and what they understand for their role. So segregation of duties, separation of duties, is an important factor in your overall security strategy, but you have to be very cognizant of it can get out of hand very quickly if you do not have a good plan on how you're going to ensure that they people have the role they have and the duties they have, and that you go back and do an assessment, maybe once a year, to ensure they have the right level of access for the role. Another one is we called two person control. Now, this is a kind of a think about when you're dealing with nuclear weapons. I know you probably all don't deal with nuclear weapons on a daily basis, but you see it in the movies a lot. Right, there's a sub commander is in his submarine under the water and they have to launch a Triton nuclear missile out of the submarine. But what do they do? Bill has a key and Frida has a key. Yeah, I haven't heard Frida as a name in a long time, but there is a Frida. I'm sure Frida has a key. Well, both Bill and Frida will turn the key at the exact same time to launch the missile. So that's what it basically does. Is it means that Sean just can't go and launch the missile by himself? He needs Frida to help him do that. The same kind of concept when you're dealing with areas that are of high sensitivity when it comes into nuclear control, and when nuclear facilities or power facilities may have a two person control to be able to make any sort of changes to the network. I want to make a change to the network, or my account needs to make a change to the network. I may need the other person to help me do that, because Sean just doesn't have the rights to go make changes as he sees fit. So that's where two person control can really come into play and it it does allow for what they call a peer check, but it's basically someone next to you can make sure you're doing the right thing. The next one is job rotation. Job rotation is a plan shifting of employees through different roles to prevent fraud and to basically allow people to gain better knowledge so that they can take over your role when you're fired. Well, that's, I'm joking, but that happens too. Yeah, one thing to worry about is it's so funny when you're when your manager comes in and says, hey, bill needs to shadow you for a while, we're gonna have Bill shadow you. That's okay, because Bill needs to learn this stuff. Yeah, so one thing to keep in mind is, if your company's not doing well and your talent, bill's telling, or your supervisor is saying, bill's gonna shadow you and you need to look at, is Bill like 20 and I'm like 60? Hmm, what does that mean? Again, I'm not saying that that happens, but it does happen, unfortunately, and therefore they're trying to teach Bill everything so that Bill can take over your role, which he will do a terrible job at first, may do better at time goes on, but it could be challenging. So that does happen and you may get exposed to that at some point in time. But it's important for you to to move people through different roles and it does allow them to gain access to better knowledge and it does allow them to maybe look at what's occurring within your role. This is really important for areas that have high level of access, maybe your domain admins. I would highly recommend and encourage that you have peer control with your domain admins. You have vaults that are in place for your domain admins, and you potentially even do job rotation and move people out of that. They lose that capability for a while, and then you let somebody else go in and have that control, and then that way, maybe they can sniff out anything that may have been done inappropriately or even by accident. So it's just important where job rotation will help that out. It's kind of an anti-fraud type of situation, and it does happen a lot within the financial industry as well, but it may be something you may be exposed to in your current role that you're going to. Mandatory vacations are another one that you set up a time where everybody has to take a vacation, and you can't be in a situation where Bill or Jeff does not ever take a vacation. Well, you may mandate no, you have to take a vacation this year, and you may have to take a vacation for a week, and that allows somebody else to take a look at what's going on. I would highly recommend, though, that you set that in your policies from the beginning that there is a mandatory vacation time scheduled that you must take each and every year. And then sometimes that happens where the vacation could be, where you don't have a choice. So you're saying you know what, we're going to move you to a new role or you can take a vacation, but we're going to check everything out. That again, like I mentioned before, there needs to be a policy on this and HR has to be involved as you go down this path. Just because you can't just arbitrate I mean you can, there are times when you can do that but you do set yourself up for a lot of challenges if you don't have this in a planned, organized format. Now again, I'm not an HR person and nor am I a lawyer, and therefore this is not legal advice nor HR advice, but this is what I have seen and heard and read over the years, where this is extremely valuable. You just need to make sure that you cross the T's, basically make sure you do what you're supposed to do and dot the I's. You make sure everything's correct and that everybody is aligned with what you're trying to accomplish. Now we're doing what we're going to do with two last things One is privilege account management. And the last one is service level agreements, now privilege account management. This is where you have different products such as cyber arc, psychotic I've that one is a unique one I've. They're kind of come on the market and I haven't heard a lot about them. But there's psychotic out there, there's various. There's, I think, keeper security as well. And a PAM solution is where you keep all your privileged accounts within your organization. That is, it works very well when you have accounts that are potentially shared amongst various resources and it also allows you to do check in, check out in that situation, allows you to rotate passwords, it allows for auditing and they're even records who goes in and grabs these credentials. Now, putting a PAM in place can be a arduous process and it can take a lot of time, but they can be very valuable in that, in your overall scheme that you're trying to accomplish from a security standpoint. Also, they are quite expensive. They can get very expensive, especially cyber arc, that that one's got big, lots of dollars behind it. It works really really well, but it has lots of dollars behind it. So you have to determine the company you go work for. Maybe, just maybe they don't have those level of funds available and therefore you may have to come up with different types of solutions, but I do recommend a PAM solution in your environment, no matter the size of your company. And I know when the CIS is P they're they're pushed that pretty hard because, as we have so many credentials out there that people are store, are storing and in many cases they don't store, they just reuse the passwords you need a solution for your employees that will help them be able to store this information and be able to protect it in a way that is best for your company. Now there also might be a situation where, based on regulations, you may be required to have a PAM type solution because the regulators or the auditors want to look at it and watch it. So you just need to consider that as well. Regulations do guide a lot of what we do in security and they're only getting more. So the more you can understand around those regulations, the better you can be for your company and the more I'm trying to. I'm kind of pausing here a little bit, but basically you provide more value and I know all of you out there and many K-Lessions say all many of you are probably looking to get the CISP because you want to enhance your career, make more money, get a better job all of those pieces. For that to occur and get the kind of resources that you want, you need to be able to understand these regulations and to be able to understand how these tools are deployed. You don't have to actually have the technical savvy to deploy them. You may have to do that, but you need to understand the overarching concepts so that you can have people do this for you or at least, at a minimum, as you're doing it, you can teach someone else how to to deploy these. Alright. So the last thing we're going to talk about is service level agreements. What these basically are is a contract between your service provider and the end user, and they provide the equality and reliability of the overall services that are going to be provided to you. And so when we talk about lease privilege, we talk about PAM solutions, we talk about all of these pieces. You're going to want to call those out within your service level agreement. So, especially as you're related to, if you have a managed service provider, which I mentioned before, it's an MSP, it's Mike Sierra, papa. If you have a managed service provider, that's providing you the security benefits to your company and you want to deal with lease privilege, you want to deal with mandatory vacations, all of those aspects. You're going to want to define that within your service level agreement. Now, you may not have it really spelled out that mandatory vacations will be taken once a year, x you know you may not have that, but you may have a policy that talks about vacations, about separation of duties, and you would want to refer in your service level agreement that you, a person, must adhere to all of the policies that I have stipulated within my company. So, again, those are an important factor to set expectations, to provide a baseline and to help manage the overall relationship you have with these managed service providers. The great thing, the great thing about an SLA is, is it does give you a common ground so that if things aren't going the way you anticipate they would go. So say, for instance, you have this PAM solution and individuals are not utilizing the PAM solution in a manner that is detailed or prescribed in a policy or other documentation. Well, the service level agreement would call that out, and so, because of that, you then would have a situation where you could say to this managed service provider you're not meeting your obligations because of X, y and Z and therefore now you can either go through and we're going to negotiate the contract, you can potentially fire them. You could find them. It just puts everything out on paper for for all to understand and be able to deal with what's actually going on within the managed service provider. Alright, so that is all I have for today. So today again, we talked about a couple different theories. We got into security operations and we talked to the need to know principle, least privilege principle and how that in factor into what you're doing, and it was relates to data migrations, compliance auditing and as well as the overall secure software patch installations. We went into separation of duties and why those are important, two person control and the fact that you basically have a peer check that is allowing you to gain access to these various systems used a lot in the nuclear industry and in the highly regulated industries as well. We went through job rotation, mandatory vacations principle or privileged account management, pams, and then we finally topped it off with service level agreements. Alright, I hope you guys have a wonderful week. I hope you're doing well on the CISSP. Please send me a note. Go to CISSP, cyber training. You can get use a. There's a contact area. Tell me how you did. I hope that this podcast I've had others that have mentioned this before as it relates to the overall podcast as it's unique in the fact that it helps them understand rather than just reading the book and the book can be very dry. It can be painful at times. This is a great podcast that you should use in the leverage to help you pass the CISSP. That's what we're all about and, as you hear this information over and over again, the ultimate goal is to give you that what you need to pass it, but then also help you with your cybersecurity career as you move forward. Again, coming from a CISO who's got over 20 years experience, I'm here to help you. Don't try to do this on your own, and it's that's what I created the podcast for. Alright, have a wonderful day and we will catch you on the flip side, see ya.

CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!

LEARN MORE | START TODAY!