CCT 104: Navigating Transborder Data Flows in Cybersecurity and the CISSP (Domain 1.5)

Cybersecurity isn't just about technology; it's a battleground where legal expertise and international laws become as crucial as firewalls and encryption. Brace yourself as we navigate the tumultuous waters of cyber attacks, from the shocking breaches in Kansas and Australia to the alarming targeting of US infrastructure by Iranian hackers. Our conversation isn't just a rundown of threats; it's an essential guide through the labyrinth of legal consequences for those at the keyboard's dark side, the life-altering dangers of 'swatting', and the pivotal role legal teams play when digital walls are breached. If you've ever wondered about the balance between sharing information and protecting an organization's reputation during a crisis, this episode lays it bare with the precision of a scalpel.

Transparency and privacy—two sides of the same coin that can make or break trust in this digital era. We explore the intricate dance between these two forces within the context of a 12-week year strategy that reshapes how cybersecurity goals are pursued. You'll get insider tactics on breach notification, navigating the choppy seas of transborder data flows, and adhering to a mélange of international privacy laws. For those who hold the keys to sensitive data, we dissect the importance of data classification and the ethical impetus to uphold privacy, all while ensuring that the data complies with the variegated tapestry of global regulations from GDPR to CCPA.

As we gear up to close the curtain on this episode, we shift our focus to empowering cybersecurity professionals with the knowledge and skills to not just pass the CISSP exam, but to thrive in their careers. Whether through self-study programs or the personalized touch of one-on-one training options, cybertraining.com stands ready to equip you for the challenges that lie ahead. Join us on this journey to fortify our defenses against the cyber threats lurking in the shadows, ensuring that our digital future is secured by the best in the business.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning it's Sean Gerber with CISSP Cyber Training, and I hope you all are having a beautiful day today. Today is Monday. I'm a brand new year. We're in 2024, so if you have a plan, 2024 could be your year. I know it's every year we come and go. It's pretty amazing how fast the time goes by and the older you get, you realize that even more and more. I will tell you that as old as I am, I'm like really old. I'm a little bit older, the kind of old that I was around when rocks were still soft. But yeah, no, it's just crazy how fast the time is just going by, even in cyber. I think that makes it even faster, just because there's so much going on in the world of security that you constantly have to stay attuned to it. One thing that, before we get into our session for today and the training for today is there was two actually articles that came out that I was kind of really concerned about. Here in Kansas the court system was hacked and it took them like six weeks to recover from a ransomware attack. As a cybersecurity person, you know that business resiliency is a huge factor in playing or in protecting your company's networks and protecting the place you live. Well, there was another situation that occurred in Australia where some court hearings had become open because of a ransomware attack, where they basically were able to get access to the recordings of these articles, the court hearings that occurred. That's pretty disconcerting as well. It's just the fact that there's so much information, as we all know, out there and available, but now this stuff is available for attackers. This was a children's court and basically there were hearings that were corrected or I should say collected from a meeting in October and they were able to get access to the overall network itself and the recordings, the TV recordings, the video recordings of it. So it's really sensitive, right, you have to deal with court matters, you're dealing with children. It's just not good at all. Another thing that occurred also is they mentioned the wastewater treatment facilities. The United States has confirmed, there's been at least four wastewater treatment facilities that have been attacked. The interesting part on this is I don't know if you all have paid attention to the wastewater facility down in Florida that had been attacked back. It's probably a couple of years ago now, but the interesting part on that is the individual had remote access into this treatment facility, whereas they can add certain chemicals to this treatment the water. The normal thing is to add chemicals to this water supply to help make it more potable, so that you can drink it right or portable, or I don't know that's a big $10 word that I don't know but it's to make it more drinkable. And the interesting part on all this, though, is there's been four more attacks, and these have been related to some Iranian hackers that have gained access to the water treatment systems in the United States. I know that I've seen one or two that have been outside the United States, but bottom line is I mean, these attackers are going after money, which, okay, that's bad. It is stealing people's financial aspects, but when you're going after people's water supply, that is a much different animal, and this kind of activity needs to be destroyed as fast as possible because it just shouldn't be happening. Well, if you can't stop the attackers from doing it, it really comes down to. It's up to you as a cybersecurity professionals to help these places to secure their networks. And again, you can check this out on CNN. I know CISA has released a notice stating for small providers of these water systems water supplies to be able to look at ways to protect their systems. So I know that came out from CISA as well. But if you're going out there and you're looking through the internet, take a check at this. This is pretty interesting, just the fact of what these folks are doing and the fact that there's just more talent is needed to help secure these environments. So go check it out and see what you think of it. Okay, in this episode we are going to be talking about transborder data flows and cybersecurity as it relates to the CISP. We're going to be in domain 1.5 and we're going to be talking about some various aspects around that topic. Now, obviously, we won't be able to get into everything that's in 1.5, but we do cover the big crux of this part around transborder data flows. It's becoming a bigger factor and it's something you're going to have to be aware of as a cybersecurity professional and it's also going to be something that will most likely be asked on you on the exam that you're going to have to understand. Now, a lot of my listening audience are folks that are probably a little less junior, probably a little more senior in relation to age and maybe experience. But one thing that they you all have probably experienced some level of this IT kind of speak but I will say this is a new aspect around these data flows that are going to and from countries. Now it's obviously been around, since networks have been around, but the look and the view on that from various countries is interesting because they all have a different view of it and they have a different take on it. But before we get into we're going to basically talk around for those three main topics we're going to get into. One is the legal implications of cybercrimes and associated data breaches, the notification requirements around data breaches and then the transborder data flows. Those are the three topics that we will be covering today. The other thing is we're trying to look at making 2024 a new year, with just kind of mixing up the podcast a little bit and seeing what is resonating with my folks that are listening to this and just let me know, if you can, to contact at CISSPcybertrainingcom. You can send me an email at any time. I love any feedback that you may want to provide. I'm actually probably going to put a page on my website for this at CISSPcybertraining as well, because I want to make sure I'm giving you the content you need to help pass the test. There's been a lot of folks that have reached out, that have passed the test, that have said thank you. They really like the podcast, just because it helps provide a little bit more content of a little bit more depth than what they would read in the book. And then I also want to try to kind of tie in a little bit closer to the book. Maybe where is it at in the book? So if you're having some study challenges, you want to go back and you can actually reference the content that we have on the podcast. Okay, so let's get started. So the legal implications of cybercrimes and breaches. As you all know, this can be varying aspects. Now the legal implications there's also a physical implication. You might and I didn't put this in the notes but one of the things you consider from a no-transcript is the fact that if you are an attacker and you know, go and attack people, such as what we've seen in the waste treatment facility. Once you start opening up the aspect of potentially hurting individuals, that opens up a whole new realm of potential ramifications. So if you're an attacker listening to this, one of the things to think about is countries don't like their people being attacked, and if you start doing that, you may run into a situation where you may wake up one day and you may not be here and I mean that to not be joking or flipping about it but countries don't like it when their people are hurt and therefore you may have individuals come after you that may not be interested in your well being. So it's important that we understand that this kind of activity can hurt people, both from a financial standpoint and from a physical standpoint. But we're just going to focus on the legal implications that may run into cyber crimes and the associated data breaches that come into that. There's obviously in the United States, there's various laws that you will deal with, and there's one types of laws that you may see on the test. That may talk about is the various aspects around civil and criminal liabilities. Now we'll get into that just a little bit. But you have civil and criminal liabilities, you have penalties that you may have from a financial standpoint. So there's all these different types of things that could occur if you are dealing with cyber crime activities here in the United States. Now, if you look at, if you're listening to this from another country, obviously if you're in a democratic society, most cases they're very similar as they are kind of tailored off of the US system in many cases not all, but many and so therefore, if you're dealing with the act of cybersecurity, one of the penalties that you can run into is they can be, obviously, life in prison. They can be financial aspects that come with this to include garnishing of wages could be include of a large fines. Then, once these penalties can come into, they have a double aspect where, if you are in a situation where you perpetrate some sort of crime against another individual, you can be in a situation where you will be forced to look at both two types of law. There's a civil and then the criminal liabilities that can roll into this. So one is a criminal piece. If you're doing some level of hacking against an individual, you could run into a situation where in the United States it could be a felony and you could be put into prison for a very long period of time. Now that is the criminal side of the house and that is usually the first avenue that a prosecuting attorney will go towards. So now that you have the criminal side and let's just say, for instance, a individual does not found guilty they're not guilty of the crime that they have been allegedly accused of then what can happens next is the civil piece of that will roll into it. So now you may have individuals come after you and sue you as an individual because you allowed some level of activity to occur. Now this has occurred especially in the swatting type of activities. I don't know if you've read it in the news today. There was actually this week. There has been a lot of political drama that has gone around in as a recording of this the Donald Trump wanting to become president and there's been judges that have made rulings that may have been questionable to some people, and other people they say, hey, these are great, but these rulings have happened. And now what's individuals have called in? Swatting, where they will call in the police department to basically go after this house. I mean, I don't know how to explain it, but they call in the SWAT hence the name swatting and there's no activity that's going on. There's nothing malicious or bad from a perspective of a law breaking, but they're calling these people in the police in just to basically cause drama at these folks's homes. And here in the United States there was actually where I live, there was an individual there was called in a swatting incident that occurred where there was a gamer and this individual was playing a game. I guess they got heated, there was some disagreements on the game and the individual who didn't like this person here in Wichita called in the SWAT the SWAT team, basically the police and made a comment that there was some illegal activities going on in the home. The police didn't understand what was happening and the individual came out of the house and the details are very fuzzy, but bottom line is the individual was shot and killed and so this is a very dangerous situation where individuals are calling in people to the police on individuals thinking that there's some sort of crime being perpetrated. So again, these are all of these things can happen and they do happen and therefore you, as a cybersecurity profession, you need to really be aware of it. I was dealing with a very senior leader of our organization just yesterday, and you know what? He very smart man, extremely brilliant, but doesn't understand all the cyber stuff and he was coming asking very pertinent and very direct questions and therefore, you will be the expert and you have to be the person that's going to give them that information. Now, there's case laws and there's precedence. Now, what you're going to hear, you may see in the CISSP exam, is they're going to talk about various case laws that you may have to deal with Now, these important court cases, and there's legal precedence that set the tone for how these crimes will be worked out in the court system and then how data breaches will be worked out. Now, one thing I noticed there was a recent article that came out from, I want to say, the SEC, so you all know the CISO, for I'm going to do this wrong solar winds. I think it's a solar winds one that was just sued by the United States Security and Exchange Commission for not doing enough work to protect the information. Now, why is that a big deal? Well, when it comes to a CISO, security officer, the your goal is to help protect the information in your organization. Well, solar winds is this highly resilient and reliant upon product that they use within the supply chain. Well, because they didn't do enough due diligence on protecting that product, the SEC is coming down and saying that they were negligent and then, therefore, the security person is potentially in a situation where they may be going to jail or high fine when it comes to I would say they haven't went criminal activity against them yet, but they're they've sued them at a minimum. So you're looking at a situation where it is a security professional, you may end up getting sued and, especially when you get into the more senior roles within an organization and at a publicly held company, you are open to more of those situations. So there's that's one thing you need to be aware of as well. So I've thrown a lot of doom and gloom at you here today, but bottom line is these are aspects as you get into the security world are things you need to be aware of and be cognizant of. Obviously, if you're going to be in a senior level role within the security company, you need to be aware of what what's going to potentially could cost you and therefore you need to also be compensated for that, and that's aspects you need to be talking to your senior leaders about as well, is your compensation should be equal to what your actual risk that you're taking on for your company. Now, when you're dealing with breach notifications, we're seeing more about this in the various countries around the globe. There are various variations that are occurring. One of them is like GDPR. Obviously, in the EU does have its own type of notification around a breach notification aspects, and this is a 72 hour breach notification requirement, and you're seeing it more than just in the EU and GDPR. It is also in China. There's some as low as 24 hours. There's some that are in. Actually, I've seen one that was within 30 minutes. You had to let somebody know. Obviously, that is very challenging is to let somebody know if there's a problem within 30 minutes. But, that being said, is you, as a security professional, must be aware of how to talk to your to the senior leaders about this. So, as an example, as it comes to this 30 minute one, if, when that came to my attention, I reached out to our senior leaders that were in that country and told them said this honestly what, what does this mean? Now, this is a different language, so they had to speak in the native language to understand what was the context of this 30 minute notification, and as we get dig deeper into it, come to find out that the individuals that set this 30 minute requirement did not truly understand what they were asking for. And that's not on their fault, it's just the fact that, hey, if something bad happens, I wanna know immediately, well, define, what something bad is. And that was the challenge. And as you work through this, you're gonna notify, understand when, what does this mean? And then you're gonna have to get the legal people involved to go okay. So when we have a situation that falls into this type of parameter, that's when the breach notification situation will occur. If you do it too soon, you don't know what you actually have. You could be alerting on every little thing that occurs, and then there are I call it a tail, but there's lots of requirements that come once you open up that Pandora's box. So you must really understand the requirements around this and who should be notified the affected individuals, the regulators and so forth and you really need to understand the timeline of this notification and what type of information should be disclosed. We've mentioned this before in podcasts throughout the year of doing this, that it's important for your legal team to be involved so that they understand what is being actually disclosed to these regulators. Not to say that you wanna hide anything. That is not at all what I'm saying. What I'm saying is is that any legal activity or any activity you deal with, especially a government entity, they do have ramifications by providing the information you provide, and you need to make sure that that information is true and correct. However, you also need to make sure that your legal team is aware, because the security person releases a statement means very different than if the CEO releases a statement. So again, I'm not a legal. This is not legal advice. I'm not a lawyer not telling you to do anything like that. I'm just saying your lawyers can be your friend, especially in a cybersecurity incident, but you're gonna need to make sure that they're understanding what are the requirements that are being asked of you and the information that you need to give them. You need to give them what they need, but no more. Again, it's not to hide anything. It's just. The fact is that the more information you provide opens you up to all kinds of risks that you just need to be aware of and ensure that you have the information that they need. So the other thing that happens is when you have these breaches, they do impact your potential reputation and the trust you have, or individuals have, within your organization. So it's important for you to basically notify people because if you don't provide that notification in an early manner, it can lead to loss of customer trust and damage of reputation. One example of this is the recent Clorox breach. I'll say they had a situation that occurred in Clorox. It's the antibacterial wipes that are here in the United States. They also do bleach and so forth, and in that incident the CISO was released. The CISO was let go from the cybersecurity ransomware attack that occurred, which may be totally fine, but then individuals within the board and within the leadership did not have the same level of punishment for not adequately protecting their environment and as a result, it made them look bad in my mind, I mean at least. Now. Some the shareholders of people that own the stock may not think that, but from a cybersecurity perspective, some of the actions that occurred would not be something that I would anticipate. I would want to be part of right. So if I got fired from Clorox and then the board gets a pay raise and everybody passed themselves on the back, that would probably not be a good thing for people to do, because they need to own it. The leadership needs to own it just as much as the CISO needs to own it. So, again, those are areas where a breach could affect your overall reputation within your organization and within your supply chain. Now there are global variations around breach notification. Obviously I've mentioned this before but there are legislative differences between the two. Obviously we talked about the EU's 72 hour. There's laws within the United States that are in that 72 hours, but there's some that are higher. One thing you'll learn about in the United States, the each of the states have their own data breach notification. The United States government has not come down with a overarching breach notification requirement. Now they've dabbled in it in certain sectors of the US market, but they haven't actually come down and said all states must comply. So therefore, it is now set up by state by state, the one of the most the more. Let me just say that the ones that are probably most restrictive are California, massachusetts. Those are the ones that we've used in the past. I've used in the past as a situation where, if I'm going to use a state's legislation that is the most restrictive, I will use which one of those states and then I will base my controls on that response. So if California has it in 72 hours, I will base it on 72 hours. If California had 96 hours, I would base it on 96, because most of the other states in the United States do not are not nearly as stringent as California or Massachusetts. You need to have thresholds around your notification. This is basically when it should be reported, and I kind of talked about this briefly earlier. What is an event? What is a cybersecurity incident? When should you report it? All of those aspects should be defined because and you're gonna know, and if anybody, who's all been in cybersecurity for any period of time, even though you define what is an incident, it's odds are high. That is, your situation is going to come up. That's going to be outside of those parameters. So you're going to have to figure out okay, what should I do? But the ultimate goal of defining what is your threshold for an incident is important so that you come back to it when the incident does occur. You're not trying to second guess. Well, should I call it? Should I not call it, if you've already gone through this information in your mind and you've already brought this up to the senior leaders of what an incident should may look like, then at least when you have something to deviate from, it's an important factor. So you do need to understand your thresholds for the notification. You need to also have a receipt of the notification. What does that mean? That means that if you are sending something to a government entity or government regulator saying that you had a breach Now I know this right now Department of Homeland Security is playing with some of this each of the various entities let's see there's Maritime Transportation Safety Act with the Coast Guard. They have breach notifications. Each of those is a regulatory body that you have to send notification to. If you send that to them, you need to have some level of getting a receipt from them. The recipient you need to know, first off, people change jobs and then you need to get a receipt that it has been received and has been properly documented. Again, you have to maintain the paper trail. With all of this. There's a lot of ongoing risks that can occur. Then you need to make sure what is that has the right content in there for them. What is the information they need to know? In many cases it's just what was the incident? Where did it occur? What any data exposed? Those are some of the key factors are going to ask who are the main people running it? When did it was discovered? When was it resolved? Those type of activities Again, you need to look at what the government requirement is and what they're asking for. I would highly recommend you do this prior to having an incident. Again, you don't want to be dealing with this when the incident is going on. You just don't. When you're dealing with a notification, like I mentioned just a little bit ago, you need to detail the breach, what occurred. The other term I want to throw out there is you may see this on the CISSP they may talk about breach. Breach is a well-known term that people use in relation to a cybersecurity incident. I'm one of those that likes to use this in my vernacular of an incident or an event. The reason I say that and I would tie out what is an event, what is an incident, what is a breach. I would define each of those. The reason I say that is because each of them has some other legal consequence that rolls with them. Again, not a lawyer, but these are aspects you want to work with your legal team on. If it's an event. I will mention that lots of events are occurring. These events could be something as small as spam or potentially an initial ransomware type attack. The reason I say that is, if I use the word incident or I use the word breach, then what can occur is now my timing triggers can kick off. I might be required to kick them off but, as you all know, in security I may not know what I have until maybe a day or two into this overall situation. If I say it's an incident right away or it's a breach right away, now my timer is clicking and I need to have 72 hours If I don't even know what I'm dealing with. It's really hard for me to give information to these regulators when I don't even know what I'm dealing with. So, again, it's important for you to really define these terms because if you do that, it will potentially save you time and it will get the regulators the information they need for whatever purpose they have. You need to define what your mitigation steps are going to be taken. How are you going to manage your incident and how are you going to resolve it, and then who are the notification? Obviously authorities once it is resolved, and then you need to have some level of guidance for the affected individuals. What should they do to protect themselves, such as changing passwords, monitoring credit reports? All of that detail you need to have available for people and it can be as simple as just canned reports that you have set up for folks to help them get through this situation. I'm reading a book on the 12-week year and it's actually really good, and I know I'm digressing just a second from this, but what it does is it helps you prioritize your goals for this specific year, but it doesn't go for an entire year. It focuses just on 12 weeks. I would recommend, as cybersecurity professionals, that you focus on what are you trying to accomplish in the next 12 weeks to, for one, obviously with the CISSP, but two, what are you trying to accomplish in your cybersecurity plan going forward? As we're dealing on impact of a situation that may occur is reputation and trust. That could happen In the event of an incident. There could be a lot of immediate impact. One, if you're a publicly held company, you can have people your stock starts tanking. You can have individuals that are leaving your company because you didn't do a good enough job of protecting their information. It can also have long-term reputational damage to you as well, both from a customer loyalty standpoint and as well as obviously losing business and the overall cost of mitigating the issue. I know I saw the article around. Oh, is it? It was the ransomware attacks that occurred with the MGM casinos and they're saying that, you know, is either MGM or Clorox. Well, after reading so many articles, I can't remember which one it was. But, bottom line, each of these incidents has caused anywhere from 300 to I've seen this up to a billion dollars in revenue loss and also mitigating the risk. So your long-term damage can be substantial. Especially if you're dealing with in you work on a quarterly basis and you're in the publicly traded market, it can be dramatic. I know Clorox. They did take a huge hit and, as I'm recalling this as I'm talking, it was like around a 700 or 800 million dollar loss for the quarter, and that includes both their stock losses and then also cost to remediate the problem. So it's a huge, huge deal. So it's important that you do try to resolve these as fast and as quickly as possible. So, obviously, best practices when you're dealing with notifying of a breach. You want to have prompt and transparent communication. You want to make sure that people are aware of it. You want to have the same level of consistent messaging throughout the entire event. You want to ensure all communications are consistent and they are accurate to avoid any sort of confusion or misinformation. Like I mentioned before, you need to make sure your legal team and your compliance team are on board and they are fully pulled into what's going on. Do not do this alone. Make sure that they are tied in. Again, this starts at the beginning. Before you have an incident, you need to talk to your legal teams and your compliance teams to make sure they understand what you are telling them to do. If you don't do that, you will have all kinds of chaos and pandemonium when the event does occur and guess what it will occur. You want to make sure you offer support for people. Obviously, there are credit services. You want learning and improvement. You want to, after this is all done, look at ways that you can improve this overall process, and then you need to keep your stakeholders informed of any new information that does arise. I will tell you that is probably the one thing, that it can be the most challenging, but it's also rewarding in the fact that when your senior leaders are coming to you because they don't like to operate in a vacuum, they do not like to be blindsided. So therefore, the more communication you can provide to them, the better off you will be. It will also make you better as a security professional, because you will have to have the information, because they're going to ask very detailed and they're going to ask very poignant questions around your security and they want to make sure that it is properly protected. You're going to have to have the answers. So it's important that you have a good plan going into this to ensure that you can answer those questions promptly and correctly. Okay, so now we're going to get into transborder data flows. Now. This again is a part of section 1.5. We talked about breach notification and this is an important factor for you to know where is your data at. So, as you're in your company, you need to know the data that's coming and going out of your environment, because if you don't, it's really hard to know who should you, what is the data that's leaving, what is the data that is resident, and then also, who should you inform in the event that there would be a potential breach or incident or event, depending upon your vernacular that you use. Now there are various privacy laws that are involved within the transporter thought process. So if you're dealing with China, they have privacy laws. Australia has privacy laws. Each of them have their own privacy laws to protect their citizens within their country, and for these laws they have requirements on what happens with this data. Now, if you are an individual that just deals with manufacturing data, you may say, well, there isn't much privacy information in what we have, so this doesn't really pertain to me. You would be incorrect, because there is some level of privacy information in almost all the data that is transported from one location to another. In many countries, all of the name just a username is privacy aspects. If you have an email address, that can be privacy aspects. It doesn't have to be their name, date of birth, address, all of that. It can be very simple, and just one piece of information can fall into the overall privacy bucket, and so it's important for you to truly understand what are the needs for that country, because you could run into if you put yourself in a situation you and your company where you are in violation of these laws, and you don't want to do that. The other piece is when we're dealing with data sovereignty, you need to discuss and understand with your folks what is the legal jurisdiction that you have with the data in this country. So when we talk about data sovereignty, it means the data that is resident, that is sovereign to that location, and you need to make it legal counsel's thoughts on what does that specifically mean? And then also you need to get legal thoughts on the data transfer leaving this country to your organization. Now you may have to go out to outside counsel to get this done and what that means. Outside counsel is someone, a law firm, outside of your organization, to give you guidance and direction, because you may not have the legal expertise within your company to be able to do that. Now there are various legal and regulatory frameworks that you can use to help guide this conversation when you're dealing with transporter data situations. There's the OECD guidelines, which is the Organization for Economic Cooperation and Development. That's OECD, oscar, echo, charlie Delta. Now these are privacy guidelines that are set with eight core principles for privacy protection for these data flows. You should understand these principles obviously around, and what they basically include is data collection, data quality limitations and security safeguards. You should understand what is the collection limitations that you may have. What is the data quality? What does that basically mean? That means that what kind of data is leaving? Is this sort of data that's tied to personal information? Is it financial information? Is it just metrics? What is the data that's leaving your organization? Is there any purposes around it, any limitations? And then what are the security safeguards that you may have to put in place to protect this information? Now there's regional and national laws, obviously, such as GDPR, which we mentioned a lot, and then the United States has HIPAA, which is your Health Insurance Portability and Accountability Act. You may need to understand those as well. Now you're going to be asked questions on the CISSP that will go through the EU, but just understand this. Hipaa deals with privacy, so your questions come up around privacy. Focus on that when you're dealing with GDPR. Privacy is in there, but it's more about data protection of the individual, so keep that in mind. So focus on. Gdpr is on the individual. Hipaa is on privacy of the individual, but it's localized to the medical space. So again now I say it's medical. It's not just medical, because if you have, like, an insurance agent my dad is, which is my dad is one the data he has there could fall under HIPAA, because it's dealing with people's privacy information, but there's also medical information that's tied to that as well, so it's just just understand. The main key concepts, though, is privacy aspects that are tied to both GDPR and to the HIPAA are one regional, specific, and two they are focused on individual sectors of that environment. Another thing you need to consider is data classification, so transborder data flows often involve sensitive information, so you need to be aware of that. This is where data classification schemes and controls are often required, so you need to have some level way to protect this data as it's being transferred across these borders. So understand that if you haven't put in place a good data classification schema, you may want to consider that. Another part is encryption and an an an I can never say this word you anemise, see, it's not even the right word. You anonymize, thank you, yes, anonymize. You encryption, and anonymize the data that's leaving the country. So you'll have situations where, if the data is in resident, you'll want to make sure the data is encrypted If the data is leaving the country, such as what GDPR requires is that the data is anonymized. So, which basically means Bill Smith does not equal, bill Smith, when it arrives in the United States, it may equal individual one, two, three, four, something else. It may be completely different. There's different types of anonymization. We talk about this in the CISSP training that we have, but you the bottom line is, you want to make sure that if there is a requirement around anonymization, you have implemented that. Now, when you're dealing with ethical considerations, you also want to understand the privacy rights of the individual for any data that's leaving the country. You also want to understand the sovereignty concerns of that country, and you need to be cognizant of that. So, if the Chinese government requires that the data stays local, which is what we call data localization, then you, as a security professional, need to adhere to that, and you need to be able to do that. Now, there may be situations where you don't have the data that's localized, and maybe there's reasons why we've seen these, especially with the Chinese government or but it doesn't really matter any government, where they may come out and say what they want, but they really truly don't know what they want, and so, therefore, it's up to you to kind of help work with your legal team to understand what are they trying to accomplish, and this is also by working with individuals in that particular country to try to understand the language, because sometimes, obviously, the translated language this was true, very true, within China. I will read it and it means it says one thing, but then our local resources will read it and they will look at it and go, no, no, no, no, that's not what it means. It means this and you're like oh, so then I try to put in controls that aren't necessary because that's not exactly what they're asking for. So it's important for you to really work through those pieces of this as well. Now it's important that you understand the. There's standards that are available, like we talked about ISO 27001, we've talked about that a lot in CISP, cyber training. That's a great framework that you can use to help you guide you down this path of what is the best framework for the this, your country that you're working in, especially when you're dealing with cross border data flows here in the United States, that's typically not a problem between states, but when you're dealing with countries, it becomes a bigger problem, a bigger challenge. You also need to understand the different legal and regulatory concerns that are associated with this, which would be compliance with laws such as GDPR, obviously the CCPA in California and others as well. So you have to. This has been one of those where legal and compliance need to be fully invest vested, and I haven't said that enough. It is true, it's very, very true. Now, one aspect to kind of consider when you're dealing with cloud computing, when you're dealing with cross border data transfers and cloud computing, this can be very helpful One. If your cloud is localized, that may make the country very happy. They may force you to keep the data in their cloud environment versus being in yours. The other challenge, though, is is if you are, let's say, in the EU and you have European data that is being stored, in many cases, you may want to have this data stored within a data center in the EU. There might be requirements around that. Now, this isn't always the case, and you're going to have to have your legal folks look at. One is what type of data is being stored, but at the end of it, if that's the case where you get a ruling that they feel you know what the data needs to stay in Ireland, then you will need to architect your environment to ensure that the data stays within the geographic boundaries of the EU, or, let's say, ireland, and it isn't transferred to the United States, or if it is transferred to the United States, it is anonymized to a point where it's not recognizable what that information is. So you're going to have to work that out with your legal team, as well as with your security architects that you may have in your organization. Now the bottom line is that you need to, as a security professional, have the ethical thought process around how do you protect the data? How are you aware of the data as it's transferred from one location to the other? And then you need to ensure that you're both your senior leaders and your legal teams are aware of what the data is being transferred and what is in the data. Then you need to also be aware of how you, as a security person, going to protect this information while it's in transit and while it's sitting resident on whatever server it's going to. There's been plenty of times where data that's leaving the United States. You protect the data as it goes from, let's say, eu to the United States. Then, when it lands on a server, how is it being protected on that server? Because this is the EU data. This is data that is, of individuals that are tied to the European Union. So, therefore, you need to protect it in a way that you would want. One, that there's a requirement that needs to be protected, but two, also from a standpoint of the best thing you should do for that data and those individuals, because I would want the same type of action to occur with my information. If my information is being stored in Ireland, I would hope that the security professional that is putting it there is doing the best he or she could to protect that information. So, as you can see, it's really an important factor when we're dealing with transborder data flows. As you're looking at the CISSP exam, you need to be aware of how does this work and what are some of the key considerations around it, and you can't always get that with a book right. You read the book and you're like, okay, I don't really understand what the heck that means. Well, this is how it looks like from a large multinational, but it doesn't matter whether it's a large multinational or a small organization. You will have to deal with it at some point. All right, that's all I have for today. I want to let you know to go to CISSP, cybertrainingcom or some great training out there available to you. Just keep an eye on it. I've got some three great products that are available. If you are in your journey for the CISSP and you just want to you're an IT professional, been doing this for years just need a self-study program. I've got the product for you. I totally do. A lot of my folks that I work with they are in that same boat. They've been doing security for many, many years and they just they need the help on and they may be very good in their niche, especially when it deals with all the eight domains. They may have two or three of the domains really well covered, but they don't truly understand the remaining parts of the domains. Go to my CISSP, cybertrainingcom, my self-study programs that are out there, and they will help you immensely. If you do need some more one-on-one training, there's two other programs out there that, based on your needs, can help you as well. So again, I'm here to help you pass the CISSP, but I'm also here to help you in your cyber security journey and help you grow in what your plans are for the future. All right, that's all I've got for today. Have a wonderful day and we'll catch you on the flip side, see ya.