CCT 284: Evaluate and Apply Security Governance Principles (Domain 1.3)

Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv

Security governance represents one of the most misunderstood yet critical components of any cybersecurity program. As we explore Domain 1.3 of the CISSP exam, we unpack how proper governance creates accountability and structure that protects both your organization and your career.

We begin with a startling real-world example: the "Red November" campaign, where Chinese state-sponsored hackers exploited vulnerable internet-facing appliances and VPNs across defense, aerospace, and government sectors for a full year. This sophisticated operation highlights why casual approaches to security governance leave organizations exposed to devastating attacks.

Security governance isn't merely a theoretical concept – it's a practical framework that defines who's responsible for what across your security landscape. We break down the crucial roles every organization must establish: from Senior Managers who hold ultimate responsibility, to Data Owners who classify information, to Data Custodians who implement protections, and the often-overlooked role of Auditors who verify everything works as intended. Understanding these distinctions protects security professionals from becoming scapegoats when incidents occur.

The real value emerges when we examine how security control frameworks like NIST CSF, ISO 27001, and CRI provide structured approaches to managing risk. These aren't one-size-fits-all solutions, but rather customizable blueprints that help you systematically identify, implement, and monitor security measures appropriate to your specific needs. Framework mapping allows you to align multiple requirements efficiently, making compliance less burdensome and more effective.

Finally, we demystify the concepts of due care and due diligence – the practical actions that demonstrate you've taken reasonable steps to protect your organization. These aren't just legal defenses; they're the fundamental building blocks of a mature security program that aligns with business objectives while meaningfully reducing risk.

Whether you're preparing for the CISSP exam or building a more robust security program, this episode provides the practical knowledge you need to implement effective security governance that executives will support and auditors will approve.

TRANSCRIPT

SPEAKER_00: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber, and I'm your host for this action-packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started.

SPEAKER_01: 0:25 

Good morning, everybody. It's Sean Gerber with CISSP Cyber Trading and hope you all are having a beautifully blessed day today. Today is what? Yeah, CISSP Monday. So we go over different doc different types of training on CISSP Monday. And we are going to be going over domain 1.3, evaluating and applying security governance principles. Yes, security governance. Some people don't like it, some people don't do it. But guess what? You should pay attention to it. And if you're taking the CISSP, you're going to expect to be now, you're going to have to know it. Yeah, just going to have to know something about it. So this is a goal to talk about domain 1.3. And as you know, if you've been listening to the CISSP podcast, Cyber Training Podcast for any period of time, we go over this on Mondays, and then we tend to go over questions on Thursdays. And that's just kind of some deep dive kind of questions around the domain that we're currently talking about. But before we do, I wanted to get into an article that I saw that just hit the news this late last week. So in this article, this is the hunt for Red November. This is kind of a spin off of the movie Red October. But the ultimate thing is that that's they labeled this uh attack method as the Red November. And the Chinese government has basically hacked different types of organizations uh through the past year from June of 25 to July, I should say June of 24 to July of 25. Uh they're basically going after any internet-facing appliances that are set deployed on a Go-based backdoor called Pentagena. And then they're using other offensive type of tools such as Cobalt Strike and Spark Rat. So these are all being used by the Chinese government to gain access to these systems. Now they've been focused primarily on uh the, like I said, internet-facing appliances and VPNs. Um, you know how much I love VPNs. If you've listened to this podcast for any period of time, you know that I have a special affinity for VPNs. I love them. They're the best. If you're a hacker, um, yeah, they're they're great. I love VPNs. Uh the the point of it is is you you want to try to get off VPNs as much as you possibly can, unless you absolutely have to. But they've been focused on aerospace and defense, uh, government bodies, and professional services for all of their attacking needs. Now, as they're doing this, they focused on the industrial base and and uh they're they're trying to gain a more of a foothold within obviously all of these different types of entities to include U.S. critical infrastructure. The ultimate goal, like I I mean, we don't know because I'm not uh part of the Chinese government inside their their hacking division. But if I was them, what I would want to do is get access to all the U.S. critical infrastructure, actually global critical infrastructure, and have a toehold in all of it. Uh the ultimate point is that if anything, the balloon goes up and there becomes a shooting war between countries, they are in control. They flip switches and things go dark. Once that happens, it causes chaos and pandemonium. And, you know, if you're going to uh attack an attacker or going to attack someone, you want to make their life painful. And if you can sow concern, you can sow discord and make confusion occur with these folks, then what ends up happening is you have an upper hand as it relates to dealing with the the war or whatever you're gonna be doing at hand. So it's a smart call if they're going to be doing, I don't agree with it, because I would be probably on the receiving end of that, but it's a good call. Um there's different types of organizations that have been hit with this. Um they're they're talk, they're basically talking about also um that they focused on the Panamanian government. There was an interesting uh part of this, is like why would they deal with Panama? Well, back in that period of time, the U.S. government was focused on Panama. I they probably still are, but they just hasn't hit the news as of late. And the U.S. government uses the Panama Canal uh to get their military aircraft military ships from the Atlantic to the Pacific. And also a lot of global trade goes through the Panama Canal. If you close up the Panama Canal, well then everybody has to go around the uh south tip of South America, and that makes it extremely uh challenging, uh, both from a shipping standpoint because it's very, very precarious from an ocean standpoint, but it also makes it very long and painful. So they nobody wants to lose the Panama Canal. However, that being said, the Chinese government has been actively involved in the Panama, Panamonian government and wants to have some level of influence down there. So there's a lot of subterfuge that's going on as it relates to all of this. But the ultimate goal, though, is that they've tried to get access. Now they don't think that the uh Chinese government was able to get access to any of these systems. Um, that being said, there this is one campaign of many, and they're always trying to do something. So if you have a VPN, then you should just open it up and let them in. No, I'm joking, you don't want to do that. But if you have a VPN, you better make sure it's tight. You better tie that booger down because uh they are a great tool for some bad actors to get access to your network, and you will never even know they're in your network. Now, how they got access to this is through a Cisco firewall vulnerabilities that were out there. And this is CVE 25, it's two 20,033 and 20,362. And it does allow for read-only and memory modifications, which did provide them the persistent, long-term persistent um access to these systems. So, again, you can modify the read-only memory. If you can do that, every time you reboot the system, what ends up happening is your Trojan, whatever you have for your software that's running on there to be able to guide gain you access, is able to be redone. So therefore, you always have a persistent access to these systems. The act the ability to map modify read-only memory is a big deal. So if there that obviously they fixed that CVE or that issue. If you do have any sort of Cisco firewalls, you'd want to make sure that that patch has been applied because uh you don't want to allow anybody to have any sort of read-only access to your system. Okay, so that is what I wanted to talk about today. Again, this is the uh hunt for Red November, and the Chinese government hacked critical orgs for a year-long snooping campaign. You can go check it out at the register. Okay, let's get started about what we're gonna talk about today. Before we get started, I want to do a quick shout out for CISSP Cyber Training. Head on over to CISSP Cyber Training and check out all the great stuff we have out there for you. We have free content. I have gobs of questions out there. I have free CISSP rapid review. I have all of those things that are out there specifically for you to help you study for the CISSP exam. And it's all free. There's a big chunk of it that is free. All I need is your email address. That's it. That's all we ask of it for CISSP Cyber Training to gain access to them, all of my free content. And you get that everywhere. But it's, I mean it. It's really good stuff. I give some of my friends keep telling me, you give out a lot. And I'm like, yeah, I give out a lot because I want you guys to pass the CISSP. However, if you are want some more stuff, such as these videos that we're doing we do, or the audio trainings that we do and the videos that we do, all of that stuff is packaged together and curated for you step by step to include my development of a new 10-day boot camp as well as a five, three, four, and five day or three, four, and five month uh plan for you to be able to study the CISP. Depending on your needs and where you're at. I've got the boot camp that can be done in 10 days. I also have a longer program that's available to you as well. All of that is in the paid content, but again, it's not that expensive in reality of you passing the CISP and the amount of money you can make getting the CISSP. It is small potatoes. I mean it really is small potatoes, not much there. But again, go check it out at CISSP Cyber Training. Okay, let's get started. Domain 1.3, evaluate and apply security governance principles. Okay, so security governance principles, these are key concepts that we're gonna get into around the security governance. And I will tell you, when I first started uh looking at governance, it confused me. I didn't quite get it. I didn't understand it. And and in reality, working in the manufacturing space, I I understood it and I knew the need for it, but there was no requirement that I needed to do it. And so, therefore, me to get the to have me help get CEO and the CIO on board, it took a lot of influence to make them do this because they didn't see the value. There was no, I mean, the risk is there, you've got plans in place. Where's the value in this? Now, as we grew the security governance program of my company, they they saw the value immediately. However, they it took a long time to get them moving. That being said, is that now, depending upon where you work, you may have a strong set of governance and compliance requirements that you have to do to make it because of a regulatory uh bodies that will say that you have to do this. So it's an imperative thing. It really truly is, and we're gonna go into details around that, but I highly recommend that you don't blow off security governance for two reasons. One, it's on the CISP exam. Ha ha, so don't do that. And two is it's gonna be very helpful for you if you get it in place, you deploy it well, and you manage it correctly, it will go a long way for you. So here's the definition of security governance. It's a set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that the objectives are achieved, and ascertaining the risks are managed appropriately and verifying, that's a lot of hands, and verifying the enterprise's resources are used responsibly. Okay, so that's a big run-on sentence. That's a paragraph with lots of big$10 words in it, and you're going, okay, that's yawn, that's a lot of stuff. Yeah, it is, it truly is. But the ultimate thing is to kind of break out of this is one executive management goals, objectives, right? And that is to ultimately get where you where you want to go. So again, if you have goals and you have objectives and you help an executive management understand what those are, that is a win. Why is that? Well, at the end of the day, they support you. And if you can tell them what you need and you can uh make that happen, that is a winning thing. One, it helps make your company secure. Yay! Two, it also will help you make more money. Yay. So you want to be able to do these things to ultimately help the company, but at the same time, financially, it can do a lot of benefit for you as well. Now, security governance principles, they're a group of security practices that define the security of an organization. We kind of talked about that already just a little bit. They're integrated or imposed, yet they can be imposed in various forms or purposes by different needs andor requirements. Obviously, we talked about regulatory and compliance pieces of this. Are you tied into CMMC? That's the defense industrial base here in the United States. Yes, you must follow, have a good governance program in place. Are you in the financial sector? Yes, you need to have a very strong uh regulatory or I should say uh compliance slash governance plan in place. If you're in the industrial standards, you're getting more and more of that with ISO 27,001 and there are many others, right? That it's coming. Whether you like it or not, regulations on cybersecurity are coming. They have been pretty loosey-goosey for the past 10 years. Um, but as it's becoming more and more apparent that cyber is uh is here to stay and can cause all kinds of chaos and pandemonium, i.e. airplanes and uh getting shut down at airports and all that kind of fun stuff, yes, that is going to be a bigger factor. Compliance is going to come into play. So if you're not considering it now, you should. If you're a cybersecurity professional, when you get to an organization and they're not doing compliance or governance, you need to really think hard about how to help them understand the need for it because it's coming. And if you don't plan for it, it will probably get catch you flat footed and you will have to then be start running where you're going. So flat-footed basically means you're not jogging, you're sitting there still, and then all of a sudden you're like, oh, I gotta go. So then you start running. But it's better to be running and then and in that process, even if it's a light jog, uh, than it is to be standing still. So there's audit and assessments of these different governance principles can occur. This can be done internally or externally, depending upon one, the need of the requirement. You may have uh entities that require you to have an auditor assessment done. Uh, or you may have to pay for you may not have the money for it, you may have to figure that out too. So there's all kinds of issues there. Or it can be done internally. You may have an internal audits uh group that will do this for you. I have been on plenty of these where the audit team does not really understand cyber, so they will bring with a with them a and basically an analyst of some kind to help them during the assessment. Uh, they work also very closely with your CISO to understand what are some of the things they need to be aware of. So I've done autos with big companies, ENYs, all these different types of companies, and they've they come with a pretty strong subset of people that do get it. However, that being said, I've had to do a lot of hand holding with them as I walk through what I have in place. So depending on the size of the organization, this also can be limited or can be very complex. Big organizations can be very complex. If it's a small organization, it can be limited and much easier to do. That being said, that doesn't mean you should just kind of blow it off. Don't do that. It's an important part. It really truly is. I was not always a big fan of audits and assessments. I thought they were just paperwork-driven messes and you just had to do check the box. I'm like, oh my gosh, this is just painful. It just takes time and it costs me money. Correct, it does. It takes time and it does cost you money. However, uh, if you do it right and you do it right the first time, you don't have to be you don't have to do it right a lot. That's not the right word to say. You always have to keep doing it right. You just don't have to do as much. You just have to tap the gas a little bit. So if you set the program up really well, and then once it's going, you just tap the gas every so often. Basically, what I mean is make modifications, change anything that's just changed, then it isn't nearly as terrible. I mean, it just isn't. But the getting started takes time, and you better plan yourself that this is if you don't have it and you're a good size organization, this is a multi-year type of journey. So you can follow the different frameworks that are out there. There's 853, 800-100. These are all from the National Institute of Technologies or from ISO. The 27,001 folks will have something as well. There's lots of different programs out there. Um working with Next Peak and my company, we have been able to uh work with a lot of financial institutions, and there is a product out there called CRI, which is your Cyber Risk Institute, and they have a really good governance layout on what you should have for your governance program. If you can follow CRI, you are in business, man. You've got a lot of good stuff in place. Uh, even if you and I would highly recommend that you go look at it, even if you don't have a say maybe you're using cybersecurity framework for something like that, the CSF. I that's fine, and I think that's great, but I would go look at CRI because from what financial institutions are using, if you can fill out that information for that, uh, it will go a long way in helping your overall program. The downside of it is as you look at it, it can be a bit overwhelming, and you may go, well, I can't do this. And you're probably right, you can't do this right away. However, I would recommend you do look at it and start planning out maybe picking out of there, cherry picking, picking small things that you feel you could use within your company and then implement those as well. So just something to consider at CRI Cyber Risk Institute's uh framework for financial institutions. The other thing is business integration. It's not just an IT issue to resolve. A lot of times this will come down as your CEO goes, IT, you guys fix it. Just go fix it, make it happen. And that's a wrong attitude to have. If you I'll be honest, if your CEO takes that kind of approach to cyber or your s or your COO or someone along those lines, they just go, hey, IT, I want you to fix it. I'm gonna be very transparent. I would highly recommend that you do a great job for them, do your best job for them, but look for a new job. Uh the reason I say that is because unless somebody in senior leadership, and that means the CIO on up, and if it's no, if it's lower than the CIO, I wouldn't even mess with it. Uh, but your CISO, obviously, but your CIO and on up, if they don't take cyber seriously, um, you need to look for a new organization. The reason I say that is because at some point they're gonna get pwned and you're not gonna want to be part of that dumpster fire. So you want to make sure that you are in an organization that takes it seriously and they don't just give it lip service, which means they don't just talk about it, they actually do something with it. Uh, that I'm just being very transparent from a mentoring standpoint. I would do that. Just think about it. So it's not just an IT issue to resolve, and it's integrated at all levels of the organization. Governance needs to be. Now, the if their leadership says, yeah, yeah, yeah, I'm I'm on board, and they don't, well, that's your CISO's job, or if that's your job, if you're the CISO, to help get them educated and help them be part of this governance program. Uh, it can be managed by a group or a committee, and I'd highly recommend this. Uh, they my the group of the committee that was managing it for my organization was a moi, me, and that was not what I wanted. So I ended up having to bring in compliance. I brought in HR, I brought in the CIO, uh, many different people that were helpful in this governance process. And this can report the findings to the board of directors. I highly recommend that you report your findings to the board. They need to be involved in understanding what is actually going on as it relates to cyber. If your board is not part of the overall cyber kill chain, it's not really a kill chain, but information chain, then you may want to start that process and what does that look like to be able to get this information to the board? I mean, at the end of the day, the board's gonna be responsible for this, so I would think they would want to know. It took me a long time, crazy as it sounds, to get in front of my board of directors about our cyber stuff. Uh my CIO, very nice man, but was a little hesitant on doing that. And I still to this day don't quite understand why. I think a lot of it comes down to is that it was so new and he didn't want to baffle them with BS, which was basically confused the fact that they didn't understand it and he didn't really want to even try to address it. So I would highly recommend your CISO is involved with your board of directors of some kind, and if not, you need to figure out how to get that influence there. Okay, so the following roles that we're gonna talk about here are responsible for the security of the data. They're not static or predefined, and in many cases, these are a learned skill, which as we get into these various roles, you'll see that you you may not never done data owner for a company. You may have to learn it. And we're gonna get into that here in just a second. But you need to understand that as you're going and trying to understand data security for each of these specific roles, you need to have a good plan. Job descriptions and skills should not be defined in the role itself specifically. Uh, those that would be a specific area that's outside of what we're talking about. So let's just kind of get started and it'll make more sense as we go. So, a senior manager, this is a person that is assigned with the ultimate responsibility of the security for the data, for the information itself. They have approval authority over the data. So I ran into this as an example when I was dealing with various uh intellectual property type of things. So as I'm trying to get this data secured, as I'm working with the senior leaders on this, one of the things that came out is they came, they always came back to me and said, Well, hey, Sean, you can approve this. You're the data owner or you're the senior manager, you can make this all happen. And I said, No, I said, I cannot approve this. The reason I say that is because at the end of all of this, I am not the one that's ultimately responsible. I am responsible, and if things go sideways, it's on me. However, that being said, I'm not ultimately responsible for that. Now, the the situation where it occurred incurred was the fact that the CEO, it came down to is he was at the end of all this officially responsible for it. And he was the approval authority. Now he did pass down the ability for me to approve it, uh, but if there was any questions, I was supposed to reach out to him and I would I would also just inform him of any of the things that I did approve. But I wanted to make sure that he was understanding that he was the ultimate person responsible for the security and the protection of the data itself. If anything bad happened, our both of our heads would roll. And I did this on purpose too. One is he needed to have skin in the game. And the purpose is that if he would just acquiesce this to me and I ended up if things get screwed up and and the data gets exposed and people start coming back after me, I didn't have a chair when the music stopped. So I wanted to make sure that the CEO was fully invested and fully involved so that if I go down, he goes down. And that the point was that this was his data. This wasn't just Sean going out there being rogue. And you have you as security professionals need to be aware of this. No, no offense, but there's people out there that will hang you out to dry if they feel that it'll work in their best interest. So you need to make sure that you have a battle buddy with you when you go into any of these situations. You do not want to be the only person that has approval authority for all things security. You don't want that. You do not want that. You want to make sure that they're invested too, because then when things go bad, which they will, uh they're not just pointing fingers at you and you're going, What do you mean? We were in this boat together. No, no, I wasn't in this boat with you. Yeah, yeah, they were. So you need to make sure that you have that all done up and ready to go. Security professionals. This is where an information security professional, they follow the direction of the senior manager. Typically is not a decision maker, but they are influencers. So I started off as a security professional and then I ended up being more of a security manager. But it was more of an influencing standpoint when we first began. I would say some of the folks that I used to work for me as analysts were more of an influencer. They did not have any responsibility, but they gave me some influence on what they should, we should and shouldn't do. So that is an important part of any organization. You need to build that into your company to make sure that all folks that are security professionals are a suc are an influencer for you in the relationship of securing the data within your company. The next one is a data owner. This is person who's responsible for classifying the information. Now, it's typically a high-level manager. In the case of myself, it was the foot the engineers that had uh access to our intellectual property. They knew what was best for the company itself, and so they were a pretty high-level senior vice president kind of person. Now, they can delegate this responsibility to the data custodian, which we're going to go here into in just a minute. But and they they may go, well, you know what? I don't have time to approve all this. Uh you you have it, Mr. Cust Mr. Custodian. So they had a situation where we had a senior vice president, he was in charge of the data. Uh, any sort of responsibility with it was run by him. However, he also had folks that were his senior leaders that he delegated this responsibility down to as well. So he didn't become the bottleneck and the choke point for if approvals needed to occur, we would reach out to him and then he would approve it. If he wasn't available, then we would reach out to his senior leaders and then they would approve it. So there it's a good uh hierarchy of data owners and have data custodians. So intellectual property is a really good example of how this can work. You know, who can approve uh SharePoint sites, who can approve the data classification schema, all of those things can be done by the data owner and then potentially passed down to the data custodian. Now, data custodian, which we kind of talked about a little bit, they're assigned to implement the classification schema and they're designed to do that specifically. They now, if you don't have a large organization, you may your data owner and your data custodian may be the same person. Or you may have two data owners and and they both operate as a data custodian. So not all organizations will have this. It's it's just a term that you need to be aware of for the CISSP and if your organization may need it. Now, the perform activities to ensure that the uh confidentiality, integrity, and availability triad triad is met. Um, an example of this, like we kind of just quickly talked about, is your IP owners. I have had the IP owner delegate that down to some of my security professionals because they felt confident enough that this person knew enough about the intellectual property to do that as well. So your data custodian typically is delegated from the IP owner or the data owner itself, I should say. And it could be someone within the IP space or someone that understands that data, or it could be somebody else. It just really depends. There's no specific job function that has to have it. Again, you deal it based on your organization and what your needs are. User, this is any person who accesses the data, a data or its secured system as well. They must uphold slash meet the security policies set forth. This is why policies are an important part of any organization so that they are met by your organization. Users need to be aware of them so that way they don't go out and go rogue and do things they shouldn't do. Or in the case of when you're dealing with your security aspects, your user goes out and does things that you don't want them to do, and then because you didn't have a policy in place, they go, Well, there's no policy. What says I can't do this? And then you have nothing. As a security professional, you have nothing to hold them accountable. Uh, and it's just painful. So then you're like, okay, fine, you got away with this one. Now I gotta make a security policy. And then they do it again, and you're like, Well, I didn't have my security policy done when they did it again. Well, yeah, see, it's not done. So then what do you do? You fire them. Yeah, no, you gotta figure out. But you build a case besides that. You do, yeah, I had that situation. Does it sound like it's kind of a raw statement? Yeah. That happened to me when I first started. I had didn't have a policy, goods policy in place relating to cybersecurity and IP issues. Person decided to share passwords of IP-related information. And what ended up happening is then I didn't have a leg to stand on to try to get this person booted. So, yes, I then quickly started putting things together and they did it again, and but I had enough documentation to get them fired. Uh so again, the ultimate point is you're it's a constant race that you're dealing with. If you build your governance program right and you do it well the first time, it can make your life a whole lot easier in the long run. Auditor. This person is responsible for reviewing, verifying the security is properly implemented. This can be delegated to the information security professional. Um, it can be done to a lot of different people. Like I was see, so I was an auditor at times for different organizations within my company. I also had some of my security professionals that worked for me uh that were auditors for uh within my company. So they're very helpful. So it just depends. You can have internal and external parties. I highly recommend that if you don't have an external auditor uh company on hand, you probably go out and find one. Uh there's I would highly recommend though, I say that a lot, that you don't just go find the ENYs of this world. They are expensive. Yes, they're crazy expensive, and there are other companies out there that can do just as good of a job. Uh ENY and those guys will charge you a fortune, and they say, Well, we're E and Y, so you are amazing, and we are amazing. Yeah, so I'm not bashing ENY, I'm just saying you can get a lot, you can get just as good of a product from someone that's probably half that price. And I'll go plug next peak. Ha ha. If you go to next peak, we can help you. Most definitely, we can help you get any of your auditor assessment work done at about a third of the price. Yeah, or half to a third. Yeah, somewhere right around there. Don't quote me on that, but yeah, we can help you immensely. So again, that's again, go to different internal or external parties to help you with that. Security control frameworks. Now, these are a structured set of security controls, policies, and best practices used to manage the cybersecurity risk. And you're gonna see this as you're dealing with a framework, and there's different types that are out there, but you're gonna, as you get into those, you're gonna see that they're designed specifically to help you manage the cybersecurity risk. They're designed to provide consistency, consistency, and repeatability for securing systems, data, and the operations. So as you go into these different types of frameworks, you will see the different levels. You're also, if you start comparing them, you'll notice the differences between them. If you look at that, like I said, CRI versus ISO versus CSF, there are differences. And again, based on your company, you need to pick the one that's best for you. There is no easy answer to this. There is a consistent process you have to kind of follow to go through it. Now, it helps an organization systematically identify, implement, and monitor security measures. And then it does help you support your compliance and risk management plans for your organization. And the bottom line is if you can do this, it helps also indicate your maturity of your company. Uh, we we've seen this when we do audits and assessments. If you have a lot of these things in place, uh you will show it will show that you are a very mature organization. If you do not have things in place for what the framework will say or the mapping of the different frameworks say, you will then look like you do not have a good uh maturity level, and therefore it could affect you from insurance risk in a lot of different ways. Now, the importance of this is it helps standardize the security approach across your teams and your systems. It also allows you to help talk to your senior leaders and ensure that they are aligned with what you're planning on doing. And that kind of goes to the last bullet of ensures alignment with your business goals and regulatory requirements as well. So frameworks are an important part, and it's something you really, truly need to integrate and adopt within your company. Now, a little bit about the background above of these. They were developed in response to this different threats that we're seeing out there. And some examples we've talked about is ISO 27001, COBIT, NIST 8853, or the cybersecurity framework as well. Those are all out there specifically for you to use. Now, again, more complex IT environments are causing this. Also, the integrations with many third parties. Your third party uh risks that have really increased over time, and it's imperative that you have these frameworks to help highlight some of these risks you may have with third parties. Indeed, it also is an important part where you reach out to your third parties and see what frameworks they are using. If they aren't even using any sort of governance aspects, so no frameworks they're following, then that might give you a little more indication of where their security program is at. So you need to have a measurable, auditable security practices. That's the ultimate purpose of it. And then your integration with risk management and business processes is an important part. Now, again, there Their move away, the trend that we're seeing now is that you're moving away from compliance-only focus to a risk-based approach. What does that mean? Well, so in the past you had to go through the checkbox, right? Now they're moving towards a I say it's risk-based, but it is risk-based in the fact of your controls, but it's also compliance aspects as well. So when you're dealing with risk-based, is that if you have, do you have multi-factor in place? Yes. Okay, so great. That's that would be a checkbox. You have multi-factor. From a risk-based standpoint, you may say, we have multi-factor. However, we're not going to allow uh MFA with text. So, like if you text you a number 2536, um that number you could be intercepted. So therefore, we will not allow that from a risk-based system. It is multi-factor, but it's a weak form of multi-factor. We are going to require you to use an application of some kind. That would be more of a risk-based approach, depending upon the situation of the company. If it was compliance only, it's like, yes, checkbox done, uh, and therefore you're good. But the risk-based is focused on what is really going on within your company. But that also requires you to be relatively mature in what your security program looks like. In the beginning stages, you may just go with more of a compliance-only focus because you're just trying to get things working. But uh, and you may then migrate more towards a risk-based approach in the future. It just really depends on you and your organization. The integration with DevSecOps is an important part, as well as cloud security and obviously continuous monitoring. All those are modern trends that we're seeing within the framework space. So, some core characteristics in how this is built out. This is organized collection of controls grouped by functions, such as identify, protect, detect, respond, and recover. That's focused on the cybersecurity framework aspects of this. Now, I will tell you that there are like the CRI has identify, protect, detect, respond, and recover, and then it has a couple more that's added to it. So it just depends. They're adding a little bit more. A lot of it's around resiliency. Uh, it's repeatable, it's designed to be applied consistently across different systems and environments. So again, it's a it's a guidepost, it's to help you move in that direction. It's measurable, it provides a baseline for performance metrics and audits. And like we talked about before, it you want to have metrics. You want to have something that is measurable. Without that, you you really don't truly know the status of your overall security for your organization. Now there's examples of security control frameworks, which would be the NIST CSF, ISO 27001 and 2, uh, Critical Infrastructure, that's the CIS, then PCI, DSS, those are specific. I talked about uh CRI. CRI is one that is not industry specific around the financial industry, but it is focused specifically around the financial industry, but can be used in many different formats. It's it's a very ubiquitous type of product that's out there. So I highly recommend it. I just do, I fell in love with it doing that one consulting gig that I had. Um, and I think it's really important for organizations to use CRI, at least to look at it. Maybe use it as a litmus against the CSF. I think it's probably best. If you're just getting started, start with CSF. And then as you get more mature, you want to use incorporate CRI in places where it makes sense. Now, what it isn't, okay, it's not a one-size-fits-all solution. It does require tailoring to meet your business size, your risk profile, and your specific industry. You have to do that, just kind of like we talked about already. Um, it's not a security product or tool, it's a blueprint. It's gonna help you get down this path. It's guideposts to help you. It's not a software or any type of hardware. Now, there might be software out there to help you manage it, but in reality, it's not a software that you can push an easy button and it will work. So it's more of a guidance and a blueprint to help you down this path. Uh, it's not a guarantee of security, right? Um, it will reduce your risk, but if you do everything that's that you can and you follow the framework and you do it specifically to a certain consent or a certain point, you still can get hacked. That is not gonna stop it from happening, but it will reduce your risk substantially from being uh affected by an attack. So again, keep that in mind. Uh, and that's one thing you need to set examples and set expectations with your senior leaders of going, hey, once we put this in place, we are free from any cyber risk. Do not say that, right? That is not what you want them to understand or convey to them. You want to say this dramatically reduces our risk, but we still have a risk out there because it's going to cost a lot of money and time to implement these frameworks, a lot of it and opportunity costs, but at the end of it, you're you have to express to them that the amount of money spent and time spent is going to reduce their overall risk to the organization. It's not a replacement for risk management. Frameworks support risk management, but do not make risk decisions for the organization. So again, they help you guide you and put you in a direction, but they will not make the decisions for you. Now, when you're dealing with mapping, we're gonna kind of talk about mapping here in just a minute. So this aligns with multiple frameworks for compliance efficiency. And well, in this case here, we're gonna talk about the CSF and we're gonna talk to HIPAA. But in the case, you can have it go to CSF to 27001, SOC2, CIS controls, you name it. You can have that set up. But it helps avoid duplication of effort and it helps reduce because some of these can get very large and uh onerous. And if you have this mapping, it can help the auditors understand why you mapped these certain controls to the certain effect. So it simplifies audits across multiple standards, it improves coverage and identifies gaps, and then it supports enterprise res uh enterprise-wide risk management strategy. I do like the mapping piece of this, but again, pick the appropriate map for you based on what you're using. Uh so you in the case of this, I use HIPAA, even though they're two different separate one that deals with risk and one is not more compliance driven. You you may have that situation come up. You may not be one-for-one. So you have to decide which is best for you and your organization. So, in the case of this, uh you can see on this table, we have this NIST CSF function on the left side, and then you have the HIPAA security rule in the middle, and then what would be an example of the implementation? Now, there's various different types of mapping tools that are out there for you. You can find them all over. You can find a CRI's got from uh NIST Cybersecurity Framework to CRI, you've got uh the CSF framework to HIPAA, you've got all kinds of different pieces that are available to you. So if you look at the table, it basically comes around and says, and if you guys that are listening to that, we'll kind of walk you through it, but if you're watching, you're seeing the video, you can kind of see where it's at. Uh you have your identify, which is your, they break it down into a format, ID, right? So that's identify. And then you have asset management, which would be ID.am asset management. In the asset management case, the HIPAA security rule that would map to it would be 164.310 delta two and then three. So I mean it goes down in different levels. And this is basically device and media controls and accountability. And those that's what maps to the identify and asset management piece of this. And the example would be is maintain inventory of hardware, software, and media storage to include electronic PHI. So that is what would meet and map to the NIST cybersecurity framework and HIPAA. This continue to go down in risk assessment, and they have one for in the HIPAA for risk analysis, and then that would be perform periodic risk analysis to identify threats, vulnerabilities to electronic PHI. And then protect is access controls, and they have access control within HIPAA, and that is to implement unique user IDs, emergency access, and automatic logoff for systems containing electronic PHI. So you can see that the ultimate point is that it will map in CSF, it maps in HIPAA, and it gives you a function of what you can do. That being said, some of these, like in CRI, I keep going back to it, they actually have evidentiary aspects where you have to have an evidence to show what are some things that you would have. So they don't just leave it up to you to figure out what is the evidence to support you have unique user IDs. And then you would document those unique user IDs. So again, it's cool. Some keynotes to think about, takeaway from this slide, it's not a one-to-one, right? Mapping is conceptual. HIPAA is prescriptive while CSF is risk-based and flexible. So again, you you're gonna have to, it's not one for one, but it gives you a great guidepost on where you should go. You need to tailor your requirements, each organization. You've got to adjust your controls based on size, complexity, and risk environment. It it will vary from a healthcare to a manufacturing facility. There are gonna change. Usefulness mapping does simplify compliance efforts and reduces redundant controls and helps improve the audit readiness that you are for an internal audit or an external audit. So mapping is it's a really a valuable tool. It truly, truly is. Now, due care and due diligence. So, what is this? So, acting prudently by implementing reasonable security measures based on known risks, reflecting on what a reasonable person would do. So that is what we call due care, right? So, due care is the reasonable care of protecting interests of a new organization, and it's a proactive approach to securing your environment. It's ensuring that you have that in place. You create a culture of security, it helps you do that, and then ensuring that all things are in proper order. That's taking the care, the time, the effort to ensure that you're doing what you should do to help secure the organization. So, in example around this would be enforcing access controls and employee training, uh, developing an instant response process or business continuity plans, and then applying patching and having a good vulnerability assessment program in place. So that would be what they consider due care, right? It demonstrates accountability, failure may lead to negligent claims or penalties. What does that mean? If you don't do due care, that's do do, if you don't do the due care, uh you could actually open yourself up for litigious situations. Honestly, any of this stuff, if you don't do it well, you you could be sued. And in today's world, you probably will be. So yeah, the more you can have in place, it will definitely take the air out of the attacker's room, I should say the litigious lawyer's room, uh, if you have a lot of these different aspects in place and you are doing them from an accountable standpoint. Okay, so now we're dealing with due diligence. So if you're dealing with due diligence, this is the systematic researching and understanding risks, threats, and vulnerabilities to organizational assets through ongoing investigation. Means you're studying your adversary, what you're digging deep into what they are. So it's practicing the activities that maintain a due care effort. So all the stuff you put in for a due care, you're trying to maintain that. Now, this requires carefulness and reasonable care. Now it's an approach to security versus random or haphazard, and it's basically you're taking a plan, you're thinking about the adversary, you're thinking about how they might attack you, and you're putting things in place to mitigate that risk. This is a must. If you don't heed this warning, it will cost you. That's very, very true. You need to do your work, you need to understand the threat, you need to put protections in place for it. So, examples of this conducting a vendor background checks, performing security audits and threat intelligence gathering on the bad guys and girls, reviewing industry benchmarks and for risk exposure. So if you're following, let's say, the framework for manufacturing and you are a financial institution, that would not be due diligence. You would be goofing up. Now you're doing due care because you're following a framework, but you're not doing the diligence needed so that the best framework or benchmark you would be using would be something in the financial industry. So again, you want to make sure you focus on what you're supposed to do. Who's the adversary, who's the attacker, what is your best practices for your industry, and are you following them? Now, the importance of this enables informed decision making to maximize liability uh or to minimize liability and to protect the organizational value that you have. So, okay, that's all I have for you today. Head on over to CISSP Cyber Training and go check it out. There's a lot of great stuff there for you. It's amazing. Again, a lot of free things. You can't beat it. Uh you can get my rapid review products, you can get all of my CISSP. I have a bunch of CISSP questions for you to get. Lots of great free content. If you think you need a bit more and you need like such as my 10-day boot camp, you need my uh three, four, or five month boot camp, uh training blueprint, that's available to you. You just you can have paid products that are on there for you as well. So go to CISSP Cyber Training, check out all the stuff that's there, and I tell you right now, you will not be sorry if you did. If you're studying for the CISSP, it will help you pass the doggone test and get on with your cybersecurity career. All right, have a wonderful day, and we will catch you all on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes. I would greatly appreciate your feedback. Also, check out my videos that are on YouTube, and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.