CCT 086: Decoding Data Roles in CISSP and Navigating NIST Guidelines for Cybersecurity Governance (D2.4)

Ever wondered why there's such a massive gap in cyber skills, particularly in this era of economic slowdowns? As we juggle an increasing number of job roles, budget cuts, and layoffs, now is the time to polish off your cybersecurity skills. We tackle the Biden administration's latest push for knowledge on security gaps, the increasing insider threats, and the surprising dearth of AI skills in the industry.

Navigating the cybersecurity landscape has never been more crucial. We demystify the role of a data owner and the responsibilities it entails - data classification, setting access controls, and managing the data life cycle. The conversation doesn't stop there. We also delve into the roles of data controllers, processors, custodians, and administrators, all crucial players in data protection. We also take a deep dive into the NIST Cybersecurity Framework and its implications for these roles.

It's not all about the professionals. Users also play a pivotal role in data protection, and we shed light on the various responsibilities that come with it. We explore topics from authentication and authorization to awareness and training. We also touch on key regulations and laws that apply to data owners, custodians, and users. Wrapping up this insightful conversation, we discuss the significance of specialized cybersecurity coaching and mentorship programs. Whether you're a seasoned professional or a novice in the cybersecurity world, this episode promises to equip you with valuable insights to help you thrive. Tune in for a riveting exploration of the cybersecurity landscape.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

Transcript

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning to Sean Gerber with CISSP Cyber Training. Hope you all are doing wonderful this day. Today is another beautiful day here in Wichita, kansas, and I just can't complain whatsoever. Today we're going to be talking about Domain 2, domain 2 of the CISSP exam. We're going to go over some details around some awesome aspects as it relates to that specific area. But before we do, one thing I saw in the news that was interesting today was around the Cyber Skill Gap. Now this is on InfosexSecurityMagazinecom and I don't know if you all have been listening to the news and what some of the changes that have been happening around the world One of the things that has come up routinely, especially with the economy slowing down, supposedly who knows what it is there has been a cutback in relation to some of the cybersecurity workforces. More or less some people are getting laid off. Now this is interesting in the fact that they're getting laid off but they're not really going to have to wait long to get a job, because I was reading this article talks about how that's basically about. Four million people are looking for a. Basically four million rolls open around the globe for cybersecurity, so it's pretty amazing that you could basically leave a job and then just get one picked up pretty quickly. However, that being said, you obviously have to go through all the pain and suffering of trying to find a new role. But what they're saying is that, out of basically 92% of professionals that they had dealt with are in cyber right now, still see that there's a strong skill gap within their organization, and I've seen that myself, where there's plenty of people that may be trying to learn cybersecurity, but they just don't have all the skills needed. I will even point fingers at myself in that. One of the weak points that I have is around AI and the cloud based security. The good thing is there's other people that are much stronger than me that I work with. That helped me, but at the end of it is I feel strongly that there's just a huge gap between what I know and what I should know and what I actually know, but the bottom line is is that they're having various cutbacks and layoffs are impacting each of the cybersecurity sectors, and I've seen this as well is that there are companies that are either having to do hiring increases, budget cuts, promotions and raises are obviously are getting freeze, depending upon the economy and the business, and then there are obviously some layoffs. And you look at this screen you'll be able to see this on CISP cyber training or actually on my YouTube channel a little bit later on you'll be able to see that there's around a 30% change in organizations that are either dealing with budget cuts, promotion changes, layoffs and so forth. So there's a lot that's happening within the cybersecurity space. That being said, I know the Biden administration just came out with, at the time of this, recording the day a couple days ago where they're putting in place anything that deals with AI. The US government wants to know about any security gaps that you may have. So that's going to put another burden on our security workforces to ensure that they are able to get that information to the US government, and I assume that wherever you're listening to this, your government's probably going to want something very similar to that they all kind of follow suit. When they see a shiny penny, they all grab, gravitate towards it, so they go. Oh, that's a great idea, we should do that too, and that's what they do. They all then, all like little mimings. They all kind of chase the same thing. Now, an interesting also part is that they talked about that there's about 28% of cyber professionals reported layoffs elsewhere in their organization. I've seen that personally, myself that's occurred, whereas in the cyberspace it isn't so much in my roles but in other parts of the organization people were getting let go, which is just. It's not good. It's not good for people, it's not good for morale, it's unfortunate. But it's business, it's not personal, and that's the part that's really hard for some people to understand as well is just the fact that when companies have to do this, they don't do it because they don't like people. I mean, I guess there's probably companies that do that, but for the most part they don't do that. It is just business and they have to deal with the cost of that. But it doesn't help matters any when you're the one that's getting on. That receiving end of that Big thing comes into those insider threats they set around the rise and I've seen this personally myself is that there's more folks that are trying to basically through their moonlighting options, through whatever it might be, are actually becoming a bigger threat for organizations. They're saying this is up close to 71% of the workload of people have increased and so therefore they've. Of the people they've asked is relates to the survey, 52% of them that responded said they've seen a significant increase in insider related events and incidents. So that that's important that wherever you go to your with your CISP, you need to make sure that you are focused on the insider threat issue. It will be a factor. Whatever company you go work for, doesn't matter how good the company is, there's going to be people that are going to take advantage of that. One thing that last thing I want to kind of go through is the lack of AI skills. If you're studying for your CISP, obviously you want to get your expand your career and you want to learn more things. Well, the AI piece of this is becoming a bigger factor. Now, one thing I read that I thought was good is the fact that you know you do as a cybersecurity professional, you're in a much better position than you think you are. You may not know all of the details around machine learning languages, but you will. Based on your experience in security, you can do a really good job of helping mitigate some of the risks that it can be brought on by these different types of technologies. So you have the skills, the chops, needed to be successful. But, again, ai is a big factor in what's happening around the globe and what the changes that you're seeing. All right, that's all I've got. You can check out this article Again. It's at Info Security Magazine and it's about cyber skills and the overall gaps that they're seeing, by James Cooker. All right, let's get started on today's lesson. Okay, so today in this podcast, we're going to be going over the decoding, the data rules that are associated with CISP and around some of the guidelines that you might see through NIST. So we're going to basically get into what are data owners, what are asset owners, what are data processors, controllers, custodians, all of those pieces we're going to kind of walk through as it relates to the CISSP and things you need to be aware of. We're also, at the last part of this, going to be getting into the regulations that you may see as it relates to these different types of roles, so that you're aware of when you may deal with them, because, like GDPR, hipaa, they all talk about these a little bit differently. Okay, so, when you're dealing with these roles, it is important for you to define these in a good way, especially when you're dealing with any sort of aspect of your organization, and it's important that, by doing this, that everybody understands the role that you're trying to accomplish with these specific data protections. And so, as it comes down to, we're going to go into each of these and I'll use an example of how this has been. One in where I've seen in the past that has been a bit of a challenge is that who actually is the data owner, who is the person, who is the administrator, who is the custodian and these terms. These are designed with the CISSP so that you have a consistent set of terms to talk about this within your organization, but when you get into companies, they will all talk about it a little bit differently. But I will tell you that in many cases, the data owner is probably the crux. It's the key factor that you need to really truly understand and you need to work through as a security professional within your organization who is the data owner specifically for the data that you're trying to protect. And then with the CISSP, this is really really hard and I'd say really hard. It's really challenging and you need to make sure that you're leading the overall data protection within your organization. People are going to look to you to give them guidance and direction in this space, so it's important for you to understand it and that's why it's taught in the CISSP is because they feel you should need to know it. It's also called out in NIST, which is your National Institute of Standards and Technology. They will talk about the various data roles that you may experience, and it's a really good article publication to walk you through the data, different data roles and how they would work within your organization. And it's all tied to the NIST cybersecurity framework. Now that framework, as you guys are well aware, that is changing. They have made some modifications to it that will be occurring here in the near future, but bottom line is the NIST cybersecurity framework is a really good framework. No matter where you're at, what country you're in and what geographical location you might be, using, that framework is very helpful. Now there's many other frameworks out there that you can use, but I feel we're kind of come back to this one, mainly because the CISSP works very diligently to in the NIST space. They do talk about the other frameworks that are available, but the primary one that is focused is the NIST cybersecurity framework for 853. Okay, so we're going to get into the data owner. That's the first one we're going to start with and I talked about just a little bit in the preamble of this. The data owner is probably one of the most important roles that I have dealt with, personally as it relates to the CISSP, but also for my data protection environments. So, as your data role, this is usually someone that's well high ranked within your organization. Typically, I've seen it where the CEO or the owner is the actual data owner themselves. They may delegate this responsibility to other people, such as department heads or managers within your organization, but it should be somebody very high up in your company that will understand the data itself, how important the data is, what does the data provide and so forth. Now the responsibility around this person is they will determine how sensitive this specific data is and they will help you in determining the confidentiality, integrity and availability requirements of this specific data. Now what you're going to have to do when you talk about data with this person is. You're also going to have to help them understand where is this data stored, because you may end up having a different protection mechanism of this data depending upon its location, and what I mean by that is is it in a SaaS environment? Is it going to be within your business environment? Is it going to be in your manufacturing environment? Those are areas you're going to have to be aware of when you go and talk to this person. Whoever this person might be, they need to have the approving access or the approving authority for determining what happens with this data itself. So this is a problem I've seen time and again is that there is no real defined data owner and therefore, when you need decisions made around its protection, there's nobody there to actually prove it, because nobody knows that they have the decision rights to do that specific challenge. So it's important for you, as a security professional, to make sure that you define this right out of the get go, right out of the beginning who is this data owner? Now, this also aligns with what the NIST Cybersecurity Framework talks about how identifying and protecting is an important factor in that framework, and by defining who this data owner is, you can identify and also protect the functions specifically defined as data classification and the control mechanisms that are defined around this specific person as well. Now we're going to get into some key responsibilities of a data owner, and you may see this when you're in your CISSP. You may get the question of what is the most important role this person does or what is one of the key responsibilities that this person may do. So here's some key responsibilities of this data owner. Now, keep in mind, is I just I tantalize you right that I'm going to dig deeper, but then I stop and I wait. Oh, no, not yet. Now the thing is is that you want to make sure that, as you're taking the CISSP exam, many of these responsibilities that I'm going to talk about with the data owners, the asset owners and so forth, they're very similar. So you need to use a constructive thought process as you're reading these questions to really understand what they're asking for. So the key responsibility of a data owner is one, obviously the classification of the data, understanding how to define the data's classification from a sensitivity, confidence, spirituality and potential business impact to the organization. So right as an example, it could be where they determine if it's public, internal, top secret secret. They're the person or persons it may even be a committee that make that decision, but they're the ones that will do that. They also will help you with access controls. They just help set the permissions and the sharing protocols for the data. As an example, if you're sharing data outside your organization, they may be the ones that help you to determine what should be shared and what should not be shared. Life cycle management they determine the life cycle of when the data is created, how long is the data saved, and then the deletion aspects around the data, how long it should be retained. They are the people that will help with the overall life cycle management of it. They also will ensure that there's some regular auditing and monitoring of the data. Now you may end up dealing with the data owner. They may not realize they need to do this. You, as a security professional, need to come to them saying, hey, we need to look at this aspect or this application and we need to audit it to ensure that the data is properly protected. They would then give the go ahead to go do that. And then regulatory compliance their responsibility is to ensure that the management they comply with all the laws and the regulations tied to the protection of this information. Now, this information could be proprietary information, like intellectual property, or it could be individuals personal data. You'll deal with this if you're in China. I deal with the PIPL, which is a personal information protection law. You will have to deal with that if you're sending data outside of China as a country. So it will be the data owner's responsibility to ensure that this meets this requirement. Now, to keep in mind, they may end up looking to you as that person. You may become the de facto data owner, but just keep in mind, that is not your role. You need to have someone define to specifically do that Asset owners. Now, the asset owner it has a broader responsibility over the entire asset, and this could be a physical device, could be software, or it could be the data itself. Now, their responsibility is to maintain the overall asset inventory. This includes all hardware, software assets, et cetera and they are responsible for any sort of bringing on anything acquisitions, maintenance or decommissioning of the assets themselves. Now, keep in mind, this could be delegated. Again, a lot of this is delegated in many cases to IT, but you, as an IT professional, need to make sure that there is somebody that, as physical control. It's in their response we call it the RR&E's and their responsibilities, expectations and their role, role, responsibilities and expectations. They need to make sure that that is defined in there for them. But again, it should be defined to one specific person. It should not be to the IT person. Unless you're an IT organization, it needs to be someone within the business. It also this ties well into NIST and how it works. There's also the as it relates to the asset owners. This is mainly concerned with the identify aspects of the cybersecurity framework. So when you're dealing with the data owner or the asset owner, this is where it falls specifically with identify. Now the key responsibilities of asset owners obviously, identification and inventory, knowing what you have within your organization. This could be hardware, software again, data assets as well. The classification and labeling. Now, this person may work very closely with the overall data owner to understand the classification, but there purpose is to ensure that it is implemented in a way that the data owner may wish. Now, the data owner and the asset owner may be the same person. It just depends they could be different. They don't have to be different, but know that they want to have. The key thing around the CISSP is. They were trying to define each of these roles and what their responsibility is, but again, the individual could be doing multiple, wearing multiple hats being the data owner, the asset owner and so forth. The asset owner's responsibility is around the documentation. You need to make sure that all the information is documented where the asset is to include potential custodians and secondary custodians. They also conduct risk assessments and they implement risk mitigation strategies for the specific assets themselves. They can be tied into life cycle management, similar as the data owner. Again, they, you, they could be one in the same, but they want this specifically broken out. They're tied into auditing and monitoring as well. Which kind of tools could be used to monitor the access? As an example, if you have tools that are looking through your environment to know what kind of data you have, what kind of assets you have, there would be an example of I know Intune uses asset management this. As the asset owner, it may be your responsibility to ensure that you keep this, this tool, up and operational and using it come to determine your assets within your organization. They also will be important in developing the policies and the procedures around these assets creating the policy where okay, so is there. Patch management, how? When can you use the asset? When can't you use the asset? Those are the types of individuals that would then help develop and craft that overall policy for your organization. Data processors Now, data processors this is usually a third party organization. It can be in house, but in many cases it's a third party company that was responsible for the manipulation of the data in various business processes. This calls out a lot in GDPR. They want data processors involved, but they're responsible for the overall data itself and the processing of it and the shipment of it as well. Many of these other activities are in line with legal and regulatory requirements and they will have that kind of expectation for the role. When you're dealing with the NIST cybersecurity framework, this is relevant to the protect and respond functions as relates to the CIA triad. So, as you're talking about NIST again, if they ask questions of how is the data protection, or should say the data processor, tied to the overall NIST cybersecurity framework, it would be under protect and respond. Now, the key responsibilities of the data processor would be, obviously, processing the data on behalf of the controller. They execute specific functions such as storage, encryption or analytics taken for the specific data itself. They are responsible for security measures to ensure that they safeguard the data during the processing phases of this, and they also are reliant upon the compliance and documentation piece to ensure that the controller's instructions are properly followed and that they meet their compliance with the legal requirements that may be defined by that specific controller, and this may be. You keep logs, you may keep audit trails and so forth, but this person is responsible for that Any sort of data breach as it relates to the data itself. They would be the person that would contact the data controller. Now, keep in mind, the processor and the controller could be the same person once again, but they wanted to find each of these specific roles so that you knew what the processor did, you knew what the controller did and so forth, and then they could deal with also due diligence around the contractual reviews that you may see related to the overall data processing. Now, data controllers these are people without determining the purpose and the means for data processing activities that may occur. Now that typically the data controllers are within, like, say, within a company, you'll have a controller who their responsibilities to know what data should be processed. They will then send that to a processing third party and that processing third party will manage and manage the data and basically process it. Now, again, like I said before, you can have the controller and the processor as the same person within your organization. It just depends how you've defined that role. But in many large companies the controller and the processor will be different. Now the detailed responsibilities around a controller is the, again, data collection methods, how will the data be collected, and then any privacy laws that have to they have to follow and maintain the controller will be tied to those. Specifically, when you're dealing with the cybersecurity framework itself. This aligns the control the controller aligns with the identify and protect functions similar to the processor. Now the response key to responsibilities, obviously, of the data controllers we talked about earlier, they are the data protection methods and privacy compliance. They're also determines the purpose and means and they decide how and why the data processing activities are occurring. They'll determine the overall purpose of the collection, such as market research, customer service improvement, so forth. They we talked about the privacy. They will be ensuring that they has privacy by design it's a term that you'll hear again and you probably will read it in your CISB exam is privacy by design, and that approach is to development of all newness systems that are being created. You develop them with the privacy in mind and ready to go. Again, compliance they will ensure that they follow it as it relates to GDPR and CCPA. And then the data subject rights as well, of what is a data subject and what is their right for access, what is the right to collect and delete their data. And then contract management obviously, they will come along and make sure that the contracts are properly in place. Data custodians these are technical experts that are tasked with the day to day management of the data. They ensure the data owners policies and guidelines are implemented, and they're the ones that will basically do a lot of the heavy lifting as it relates to the data itself. They'll make sure that the security controls are implemented and they will conduct regular audits. Now the key question around is can the processor, custodians and controllers all be the same person? It does, like I said before, they can be. Typically, they will be separated, but they can also be together under one specific role, depending on the size of your company. Now, as it relates to the framework itself, the NIST Cybersecurity Framework, the custodians are the folks that implement. They do the implementation part of the phase and they put everything into practice. Some of the responsibilities will fall around data storage and backup, data security, access management, compliance, data maintenance and then also retrieval and recovery. So they have a lot of different responsibilities that go into this. So, from the point of ensuring that backups are done, they're available for people to use, the overall security is in place around encrypting of the data, and then they ensure that the patches and updates are done as well. Now, what is an administrator? An administrator? These are individuals with special access permissions that are responsible for the technical health of the system itself. So you have the administrator, who can make sure that the systems are up and operational. They ensure patches are updated. They may work with the overall data custodians to ensure that this is done. They also have access control management. They will make sure that only authorized people can access these systems and they will be the ones that will provide those roles to them. Now, some key responsibilities around administrators you may run into would be the system configuration, user management, monitoring and auditing, software management and then resource allocation. And what do all those mean? Well, when you're dealing with system configuration, it could be configuring the system settings and network that ensures that you have proper software that's installed, they may do that for you. They may be the ones that set up all the new users within your organization. You may have an automated system that does that for you, but this person would then ensure that that automated system is actually meeting the requirements that you want. They will ensure that there's auditing and the logs are done and there's auditing and monitoring that are set up and then, as well as the resource allocation, to ensure that they have the proper systems that can ensure that these systems are running correctly. So, as an example, if you have it in AWS, you would ensure that the systems that are housing or managing this data, that they have the proper CPU, the proper computing power to allow that to occur. They also would be somebody within the incident response place of your dealing with an administrator. They would be tied into incident response and how you would deal with an overall security incident if it would to occur within your organization. Now we're going to get into users and subjects. These are end users who interact with the system and the data but do not have a role in defining how the data is protected or processed. Now they must these their overall responsibility. Obviously the user or the person that is doing this is. They must adhere to the organization's acceptable use policy, which basically means what is acceptable use for this data itself and, as a security professional, you should have an acceptable use policy in place, and so it's important that, as the user, they follow these. Now this could be down to responsibilities would be around authentication authorization. They ensure that they're doing the right thing as it relates to passwords, smart cards, any of that specific log on information. They are properly handle the data and disseminate the data. They're not sending this info. If you have a policy that says do not send information that's business related outside of our organization, they're not doing that. They will take the awareness and training pieces and this is important that they do have regular security awareness, training and phishing tests, and then also they should be tied into the incident reporting that's available to them. They're also report any usage. If there's any issues that they are having problems with, they would be the ones that would manage that and would also report it to you. And it's important that you have users that understand the data protection policies within your organization, because if something goes outside of those protections, they inform you of it. I've had numerous cases where the data was maybe mishandled accidentally and I've had users contact me saying, hey, this is what occurred, what do you recommend? And I've had to go through and help them with that situation. So the bottom line is that users you need to be able to ensure that they understand their responsibility as it relates to the protection of the overall data itself. Now I'm going to quickly go over some of the regulations you may see as it relates to data protections, and one thing to keep in mind is you can see more of this information at CISPSyberTrainingcom or you'll be able to see it on YouTube as well. But bottom line is they were just going to quickly go over some of the regulations that would be tied to the overall data roles that you may see within your organization. Obviously, gdpr deals with data controllers, data processors and data owners. We talked about the data controller and the processors. It is their responsibility to ensure that there's lawful collection and processing of the data. As it relates to GDPR, the owners responsibilities they must approve and monitor the data collection that's occurring, and you're going to need to understand that within the CISPSP. That to help you understand what are the best security measures to put in place in the overall protection of the data. As you're right, in the United States there's the Health Insurance Portability and Accountability Act. This is one thing where you will have to as a CISP. This is where the data owners and the data custodians are an important factor. They will deal with the classification of healthcare data and the custodians is responsible for maintaining and securing of the data. Those are called out specifically within HIPAA itself. There's FISMA, which is the Federal Information Security Management Act. This is where asset owners and administrators are the key factors. Within that, and that's in the United States as well, they're responsible for inventory and the security controls of federal information systems and this is a big factor, especially as we relate to the CMMC, which is your Cyber Security Management Maturity Certification. That is a key factor with understanding what are the overall asset owners and the administrator roles. Sox this is Sarbanes Oxley this is another one that's in the United States and you will see that within the CISP they may reference Sox. It deals primarily with the overall financial sector and it deals with business practices, including data handling and the transparent and correct reporting. This would be tied to business and mission owners, so folks that own the business themselves. Their responsibility are tied to, specifically with Sox, pci DSS the financial industry as well. This is a global thing that, just in the United States and you need it calls out data owners and data custodians. These data owners they must classify the card holder data and the custodians must ensure that it is secured and managed. So PCI DSS is a global standard as it relates to credit cards and you will deal with it wherever you go. California Consumer Privacy Act this is in California, but it does have broader impacts overall. It does have the responsibilities where the data owners and the users and subjects are a key factor in the CCPA. The data owners must provide transparency of the data and, obviously, the users and the subjects have the right to opt out of the data being stored on them. Very similar to GDPR and the fact that you have the right to be forgotten. But the CCPA is one that may be it's in the United States and it's in California, but it does in the United States at least. Other states will look to California for guidance on how they do business and other countries may look to this as well on how they wanna protect their citizens. The Children's Online Privacy Protection Act COPPA this is for kids, obviously protecting kids online, and it's in the United States. But when I give you the United States different acts, many countries are looking to this to use it as well. I mean there's no reason to reinvent the wheel. So they will use some of these acts that are defined in the United States when they define their own. I've seen that in China and I've seen in Europe as well. They all kind of share from each other, but this has specific roles around the guidance for data collection, especially for children under the age of 13. And so, as a CISSP, you need to understand COPPA and ensure that you do have compliance to that within your organization. And the last one is PDPA, which is one I hadn't really heard of until I kind of dug a little bit deeper into this. This is in Singapore. This relates to the protection of personal data against unauthorized access or risks. This is where the data custodians and the data owners would be a big factor within PDPA. You will need to understand not necessarily that it may not pull up the Singapore regulation, which I think you're gonna see in future CISSP exams more of these global regulations, because there's just more of them coming online but it's important for you to be aware that if you get the Personal Data Protection Act, if you get that question and it's about in Singapore you need to be able to, as a CISSP, understand. You may not know that act itself, but you need to understand what would you think it would be asking for. And obviously Personal Data Protection Act would be dealing with personal data, which then will allow you to think of okay, so how do I best protect that and what are they actually looking for in the question? Okay, that is all I've got for you today. Hey, head on over to CISSPcybertrainingcom. There's some great stuff out there for you. I'm actually looking to be making some changes to the offerings I have. I'm gonna get a little bit more personal. I've had so much demand for some different areas that it's actually overwhelming me and to the point of I'm actually gonna limit some of my access that I have both to myself and provide a little bit more content for you all to be able to study for the CISSP. Gonna take that to the next level where we're gonna help you with your CISSP or your cyber career and gonna provide you some guidance around that. But it'd be very, very specialized, very niche, very, for very specific people, and I'm only gonna be offering a few of these coaching and cybersecurity mentorship programs every year. They're gonna be very limited on what I can do just because of my time, and I wanna be able to give whoever I'm working with the most amount of time I possibly can. So stay tuned. You'll see some more things coming around. That that's coming here very, very quickly. We should have that here within the next couple of weeks and you will be seeing some more on that. All right, hope you have a wonderful day and I wish you the best with your CISSP studying and your CISSP testing. And it's awesome, you're gonna get it done, I have no question about it. We'll catch you on the flip side, see ya.