CCT 087: Practice CISSP Exam Questions Decoding Data Roles and Navigating NIST Guidelines for Cybersecurity Governance (D2.4)

Brace yourselves for an insightful journey into the omnipresent world of cybersecurity. We're cracking open the complexities of data classification, HIPAA, and child data protection. We'll also be taking a hard look at international regulations from the lens of Singapore, China, and the US healthcare sector. But who's really responsible for your data? And what happens if they fail to protect it? 

As the gavel drops on Solar Winds in the wake of the SEC action, we dissect its implications for businesses and security professionals alike. We also tackle the repercussions of 40 countries pledging not to pay cybercrime ransoms. But we're not just about updates; we're about empowerment. Whether you're just dipping your toes into the cybersecurity pool or are a seasoned professional, we've got something for you. Navigating your career path, tips for building a killer resume, negotiating contracts like a boss, and strategies to boost your earning potential - it's all here. Come, expand your cybersecurity horizons with us!

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

Transcript

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey, I'm Sean Gerber, with CISSP Cyber Training, and I hope you all are doing well. Today is a great day. Today is CISSP Question Thursday, and today we are going to be talking about various aspects of roles within the CISSP that you may be asked about. That would be on the Data Custodian, data Processors and so forth. Yes, a riveting podcast today, no question about it. But before we do, we want to kind of quick cover just with an article that I saw on the news today. That was in a specific location called Info Security Magazine, and this one is around. I got pinged on this and a couple of different people mentioned this yesterday after we were having some conversations around 40 countries to agree not to pay ransomware type ransoms so cybercrime ransoms and it was an interesting article because I got pinged by some senior folks that I know and they're asking well, how does this impact businesses? And after looking at it, I'm going I really don't know. There's just a lot didn't come out of it other than to say these 40 different countries around the globe agreed that they would never pay digital extortionist money. Now what does that really mean? Like I said, it's not real clear other than to say that these governments agreed they would not pay some sort of ransom if they were attacked. Now the United States is leading that way in trying to get other countries to not pay as well, with the ultimate goal to dry up some of these aspects of this money that people might be the attackers are trying to get, and so the interesting part is how does this play out? I don't know. So one of the questions that came up was was it relates to a business. If a business decides to use or to pay the ransom, versus just allowing, versus being the government saying they can't do it, can a business go and specifically pay the ransom? And I would say that, yes, you definitely can go pay it. Looking at what this little tiny article that I can read, but I think it comes back to, does it put a business in potential jeopardy by doing that? And it might right. So if it puts, if you're a company and you decide to pay the ransom and your country is one of those that agrees not to pay the ransom, will they come back after you in the future saying, well, you paid it. So therefore, we're going to the countries saying that we're going to come after you because you paid it, because we pledged we would never do that Again. The United States tried this with the FBI in the past, where if you pay the ransom, they would actually come after the businesses that pay the ransom. They got a lot of blowback for doing that, and I was talking to the FBI probably about a year and a half ago about this specific topic and they said that, yeah, they don't. They used to do that in the past, but they know that businesses are just trying to survive and so they wouldn't necessarily come after you. But like anything in life, that can change. So it's a pretty good article. I mean it's not very long and we'll see how come, what more comes of it as time goes on. But again, this is from Info Security Magazine. It's about 40 countries that agree not to pay ransoms and so if you're looking to get your CISP, I highly recommend that you go and check it out, just because it's important for you to stay abreast of current trends that are in the cybersecurity space, because once you become a CISP, you will be asked many of these questions of what do you think and how should you address these problems. The other thing real quick was that I don't know if you all saw that there was a solar winds. The FBI are actually said to be in the United States. The SEC, which is a security and exchange commission, did go after the security company actually under solar winds, based on some fraudulent claims they had, and it also went after their security leader. So it's interesting how that if you are a security person and you work for a company, you are potentially on the chopping block if something bad were to happen. So therefore, it's important that if you get your CISSP and you move up the chain within the security space, you have all the protections you need to protect you and your family in the event that somebody would start coming after you because you didn't do a good enough job of protecting the corporate's information. So many, many more things to follow and this world is never, ever dull. It's always changing. But we want to talk about today the various CISSP questions that are related to the domain 2.4. And this is going to be getting into various data processing data custodians. How do they all roll out? And so we're going to show this. We're going to talk about this right now, okay. So question four, or actually should say group four you're going to be able to see this at CISSP cyber training. These are some of the questions that are there and available to you. We'll begin. This video is available on CISSP cyber training as well as YouTube. You'll see that at a later date sometime here in the near future. Question number one okay, this is under group four. There's 15 questions. This is question number one. Which data role is responsible for actually executing the processing of data under GDPR? A a data controller. B a data processor. C a data owner or D a data custodian? So which data role is responsible for actually executing the processing of the data under GDPR? And, as we know, gdpr is the general data protection regulation and that would be a data processor. That person is responsible for executing the processing activities under GDPR the controller. They lay out the specific guidelines and ensure that these activities are lawful. The controllers can be within the organization or they can be a third party. That's possible, it doesn't have to be within your company, but they are the actual processing group that is carried out, that carries this information out or carries a process out, I should say. Question two which regulation would you associate with financial sectors? A PCI DSS, b, coppa C, hippa D, gdpr? Which regulation would you associate with a financial sector? And that would be A PCI DSS, which is the payment card industry data security standard, and this is specifically tailored for financial sectors to secure card holder data. Now you may go. What you know that we've talked about this a lot in the past is the PCI DSS is a framework that is out there as a standard that's out there globally for you to if you have credit cards, and it helps companies understand what should they put in place to ensure that they meet these specific standards that are for credit cards. Now, these are the guidelines that are out there If any of that data is handled, stored or transmitted, and ensuring that it is done in a secure manner. Question three which role typically focuses on hardware and software assets? A data owner a, b a data processor, c an administrator or D an asset owner? So which role typically focuses on hardware and software assets. So again, look at the key terms when you're trying to take for this test, which one are the software and hardware assets. That would be D asset owner. An asset owner is responsible for the hardware and software assets within your organization and they typically will oversee the inventory, classification and application security controls of each of the assets. Now we talked about in the past. The asset owner could be the same person as the data owner, depending on the size of your organization. It's highly it's encouraged that you would have them as separate roles, but they can be one in the same. Who is accountable for data classification under HIPAA? A a data controller, b a data custodian, c a data owner or D an administrator. So who is accountable for classification under HIPAA? And if you're looking for data classification, just like we talked about earlier, you're talking the data owner. The data owner is responsible for classifying the healthcare data, determining the sensitivity and the appropriate security measures for the protection. Now you may be going. Well, what happens? You know I talked about up above. You had the asset owner specifically, and that is when you're dealing with hardware and software assets. But if you're dealing with HIPAA, typically that's just data itself really, and when you're dealing with specifically with a data piece of this, it would be the data owner. Question five which act provides guidelines for data collection, processing and storage all data related to children under the age of 13. So this is for little kids, right? Small children under the age of 13,. Which provides guidelines around the data collection, processing and storage related to this, these young people? A, copa, c, hipaa, c, b. So a is copa, b is HIPAA, c is GDPR and D is DPA. Can you say all these acronyms? You two would have a challenge, because it's a challenge. A is copa, b is HIPAA, c is GDPR or D is DPA, and the answer is a copa is the Children's Online Privacy Protection Act. This one is specifically designed for children under the age of 13. So it defines how you can collect data on them. I don't know if you noticed that. If there's, you'll see this question in YouTube. They ask it. If you're posting a video, is this to small young children? Then they will. That puts them in a different bucket. They treat that as copa data. Question six which regulation is specific to Singapore and focuses on the protection of personal data? A GDPR, b, ccpa, c, hipaa or DPDPA. And the answer is DPDPA. That is the Personal Data Protection Act, and is designed to Singapore and focuses on the protection of personal data against unauthorized access and risks. Again, you will see. There's another one that they may have they probably don't have it this year, but they may have it next year is the PIPL, which is the Personal Identifiable Protection Law. Then this is tied with China, so you're dealing with all different types of laws that you are going to have to be aware of. Question seven which role typically has the least amount of responsibility regarding data management? A data owner, b data controller, c users and subjects or D data processor. So which role typically has the least amount of responsibility? So, when you're dealing with responsibility, who has the most? Well, your data processors, your custodians and so forth, but who has the least? It would be the users and subjects. Answer C Users and subjects typically have the least amount of responsibility when it comes to data management, and their primary interaction is with the data and usually involves providing or using it, but generally they're not responsible for its upkeep and its security, unless you're all the same person. So, but typically that is, the user and the subject are the individuals that have the least amount of responsibility? Question eight which regulation specifically focuses on the healthcare sector? A GDPR, b, pci, dss, c, hipaa, d, sox. And the answer is HIPAA right, we talked about that. It is. C is the Health Insurance Portability Accountability Act and is designed to regulate the healthcare sector. Keep that in mind Again, if you know that the ultimate goal of the CISP Cyber Training Podcast is to help reaffirm all of these questions that you are going to see again and also to provide you guidance on what should you do as a security professional right, because at some point you're gonna pass a test or trying to go beyond the test, beyond what you can actually deal with on passing it. Once you get that done, how do we help you in your cybersecurity career? Question nine which role is responsible for installing, maintaining and security system hardware and software? So again, which role is responsible for installing, maintaining and securing system hardware and software? A administrator, b data owner, c data controller or D asset owner Okay. So which person is responsible for installing, maintaining and securing the hardware and software? A administrator, okay, so you had probably an easy one to bite off on when you go administrator or asset owner. The asset owner will keep the classification, but the one who installs, maintains and secures it typically would be the administrator. They are the ones that do that, but they will work very closely with the asset owner to ensure security and integrity of these assets. Question 10, who holds the highest level of accountability for data within an organization? A a data controller, b a data custodian, c data owner or D data processor. Who holds the highest level of accountability for data within an organization? And the answer is C data owner. A data owner holds the highest level of accountability within the organization and they typically are senior level managers. We talked about this where you may want it to be your CEO. It could be maybe the CFO or the actual owner of the company, but they're very high level. Now, they may delegate that responsibility down to somebody else within the organization, but the data owners typically are the highest level of accountability for data within an organization. Question 11, which regulation would require an organization to follow federal standards, security standards? A, PCI, dss, b, fisma, c, ccpa or D PDPA? Okay, so which regulation would require an organization to follow federal security standards? A, pci, dss, b, fisma, c, ccpa or D PDPA? C CPA or D PDPA there's a lot of acronyms and the answer is B, fisma. Fisma is the Federal Information Security Management Act and it requires federal agencies and this is in the US federal agencies that them and their contractors to adhere to federal security standards for information systems. So again, this has got a lot of US bent on it. But you're also dealing with CMMC, which is the cybersecurity maturity. Cybersecurity maturity yeah, I forgot what it was. Yeah, cmmc oh my gosh, too many acronyms. But the CMMC is designed specifically for Department of Defense Contractors, but it works on the same concept is that they have to follow various standards. When you're gonna be a CMMC contractor, what really comes right down to is if you're gonna be making some sort of widget that would help in the defense of the United States, you have to be certified as a CMMC. Now, there's different levels of CMMC that you would have to be. So, like, if you're a Northrop Grumman, you have to meet the highest level. If you are a person who makes rivets for the F-16s or F-35s, that is a different level that you have to maintain. But bottom line is it's a way that they're using, trying to get some level of security built into these programs that are in the Defense Department industry. Question 12, which role is focused on setting policies for data collection and usage A data owner, b data controller, c data processor or D data custodian? Which role is focused on setting policies for data collection and its usage? And the answer is B data controller. Again, that data controller is generally responsible for setting up policies related to the collection and usage of the particular regulations under regulations such as GDPR. The data controller, business and business and mission owners. So business and mission owners we haven't really talked about it much. Those are the folks that are the highest level of an organization. They're the ones that may they kind of give the direction of where your company is going to go, both from a strategic and an operational standpoint. So they typically are not ones with specialized technical skills. They may have had those at one point, but at this juncture they're not a specific technical person. So that would be a data custodian. They are usually require special technical skills for the tasks such as database management, backup and restoration. They are responsible in many cases for implementing security measures defined by the specific data owner. Now, the data owner may or may not have that knowledge. They may have to delegate it to somebody else, but the data custodian is usually one that is defined or designed to be able to be the person that would handle that. Question 14, which role should be well versed in SOX compliance, the Sarbanes-Oxley compliance, to understand its impact on data and information systems? A data custodian, b data processor, c asset owner or D business and mission owner? Okay, again, a business and mission owner. They're the higher level positions within a company. So A data custodian, b data processor, c asset owner or D business and mission owner? And this is a person who should be well versed in SOX. And that answer would be D business and mission owner. They need to be well versed in SOX as it directly impacts their accountability, their trans and basically reporting process that they may have to do, so it's important that they follow it very, very closely. Question 15, the last melon who is the primary concern with providing controlling access rights to the data? So who is primarily concerned with providing and controlling access rights to the data? A data owner, b data controller, c data custodian or D administrator? And the answer is D administrators. They are generally responsible for providing and controlling access rights to the data. They often work in collaboration with the data owners, ensuring that only authorized personnel have access to the specific data sets that are out there. Okay, that's all I've got for today. Hope you guys have a wonderful day. Again, head on over to CISSP Cyber Training. There's some great things there for you. All of these questions are there and available. You can get access to them immediately to help you study for the CISSP exam. Also, if you're looking for your career planning, what should you do as a security professional? There you go. There you will get what you need, specifically around looking at your overall future and where do you want to go Now? You want to make more money. That's the place to go. To help you understand how to best do that. We have things from working with your resume to helping you negotiate for your upcoming contracts, to looking for a new job. How can you do that? The ultimate goal is to help you one, become a cybersecurity professional, if you're not already there. Two, if you already are a cybersecurity professional, the skills you need to help you take it to the next level. And three is to be able to give you the most amount of money that you can achieve in this wonderful cybersecurity career. Again, I'm here to help you. Whatever you need, we're there for you. All right, have a wonderful day and we will catch you on the flip side, see you.