CCT 288: Rapid Review Exam Prep (Domain 6)

Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv

https://www.jeffersonfisher.com/

A spike in ransomware on the factory floor isn’t just a headline; it’s a stress test for how we design, segment, and measure our defenses. We open with the realities of manufacturing risk—legacy OT, flat networks, and high stakes for uptime—then translate that urgency into a practical walkthrough of CISSP Domain 6: the assessments, testing, and metrics that actually prove security works. Along the way, we share a surprising leadership edge from a trial lawyer’s communication book that helps you argue less, align faster, and get executive buy‑in when the first vuln report lights up like a Christmas tree.

We break down internal vs external audits and when each makes sense, plus a smart cadence for third‑party and supply chain reviews that acknowledges your perimeter now includes APIs and vendor tunnels. From vulnerability scans and scoped penetration tests to SIEM‑driven log reviews and synthetic transactions, we map out a toolkit that catches issues before users do. We go deeper on secure code reviews, unit/integration testing, and interface testing for APIs, because the quiet paths between services are often where real risk hides.

Then we shift to the machinery of proof: breach and attack simulation for continuous validation, compliance checks to spot drift, and the metrics that matter—MTTD, MTTR, patch rates, vuln density, mean time to report. We lay out how to run account reviews, verify backups you can trust, and exercise DR/BC so recovery is muscle memory. Finally, we tackle remediation prioritization, exception handling with compensating controls, and ethical disclosure that minimizes harm while nudging vendors to act. If you’re preparing for the CISSP or elevating your program, you’ll leave with a clearer map and concrete next steps.

If this helped, follow the show, share it with a teammate, and drop a review—what’s one control or metric you’re upgrading this quarter?

TRANSCRIPT

SPEAKER_00: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerbert. I'm your host for this action-packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started.

SPEAKER_01: 0:25 

Good morning, everybody. It's Sean Gerbert with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is Monday, and we are going to be going over the CISSP rapid review exam prep for domain six. And this is related to security assessment and testing. But before we do, I have a article I wanted to read to you as well as a book review, a really, really good book review. Very quick, but it's awesome, extremely good. And if you are looking at working on your CISSP, uh you obviously have cybersecurity as your main focus. You'll really like this book because it does, it's something I wish I would have had when I was a CISO multiple for it would have been making my life a whole lot easier because it's it's super good. But before we do, let's just get into what I saw in the news today. Okay, so this comes from Dark Reading, and this is a fight against ransomware heats up on the factory floor. Now, knowing all of my background, I was in manufacturing for many, many years, and I would say it's about bloody time. I would say the the interesting aspects that's coming into this is there are it well, we always knew it was be a target for most attackers, but the challenge has come into is that they didn't have the money, or in many cases, the senior leadership didn't see it as a something that would really actually happen. And and so as this comes up, according to Black Kite's research in 2025, manufacturings have been the number one target for ransomware groups for four straight years. And you're going, well, you left only about two years ago. Was it a problem then? Yes. But the challenge was getting people to actually understand the risk to their organization, to their company. Now, the article talks about between April of 24 and March of 25, so approximately one year, about 22% of all reported ransomware attacks occurred. That's about 1,300 out of the overall 6,000 were manufactured. They were the manufacturing companies that were hit by ransomware. So in Q2 of 2025, manufacturing accounted for around 65% of the incidents in the overall industrial space. And this is according to Dragos. And we've we've talked about Dragos a bit on this article or this podcast before. So it's a very big factor in this overall aspect. What the reason that they're going after this stuff, right, is because the manufacturing people, the operational continuity, it matters. You got to keep things up and running. And then the other thing is that there is a willingness to pay. Now, there hasn't always been that willingness to pay, uh, but they're realizing how vulnerable their IT systems are. So these large companies are actually being open to about paying this ransom. Now the challenge is it's large and small companies are being hit with this. And so you're not just focused on the big companies, these little guys that are getting hit, unfortunately, it can be very cost prohibitive to them to the point where it can potentially take them out of business. So this is finally manufacturing is hopefully starting to see the light that they have to spend the money on people and processes and technologies to make this happen. Because it's just it's gonna be continue to be a factor for these different large companies. Now, some of the rate risk factors they call out in the article obviously are legacy OT, which is your legacy operational technology environments, plus your modern IT and IoT networks. You start blending and co coexisting these various networks, you're gonna have increased risk to your organization. So we recommended that there should be some level of virtual segregation. Um, it should be some level of segregation, whether it's virtual or physical, it should occur. I would highly recommend that. And then you have processes to manage that virtual segregation. Now, most of these are going after manufacturings, their supply chains, as well as the vendors attacked attached to them. So again, risk factors are a big factor in what you are considering. Now, one of the things you need to consider as it relates to helping make your organization better, implement multi-factor authentication, especially in your process networks. Make sure you have network visibility and segmentation. The segmentation goes for separation between the two networks as well as have tools that can provide visibility down into your process networks. Third party and supply chain, you need to have those folks that are actually understanding what that looks like for your organization. Do you know who your third parties are? Do you have you done vulnerability assessments against them? Do you understand that if they were hit with a ransom or attack, how does that affect your overall plan? Those are the kinds of thought process that needs to go into creating and managing third-party risk. And then you basically need to have some level of proactive measures in place to include instant response plans. You need to have prioritize paying the ransom versus not paying the ransom. All of those scenarios need to be considered and thought out when you're looking at an overall ransom situation within the manufacturing space. So it's a very good article. It's in dark reading. I highly recommend it. It's you one of those that you can use and maybe send to your senior leaders and say, um, hey, this is what I'm, we're seeing more of this. This is what I'm thinking of doing. And that would be much more useful than just saying, hey, boss, look at this. This is really scary. You you guys need to come up with a plan to help your senior leaders to make the right choices for their organization. But again, check it out. Dark reading is talking about manufacturing and the fight against ransomware heats up on the factory floor. So go check it out. Okay, so this is a real quick book overview of a book that I would highly recommend you to for you to read or to listen to, because I'm more of a listener. Now you're probably asking yourself, well, why are we doing this? Well, if you are in cybersecurity, you obviously have and you're looking for your CISSP, you're wanting to grow within your organization in some level or form. The thing that we keep in mind is leaders are readers. And you are not born with the innate availability from the dear Lord to say, hey, I've got all this information in my mind. I'm good enough, I can make this happen. That is not going to work. So you need to read more books to understand how you should change as a person. So I'm in a mastermind with small Christian business owners, and these folks are have multi-million dollar businesses down to small businesses like myself. But the point of it is that people don't understand business, and so therefore, what do you do? You try to do business and it's you struggle. So the mastermind is around getting around other folks that have a large business or understand business to the level that you can then kind of get smart on what you need to be smart on. Well, the recommendation came up for this book, and at first I was like, okay, do I probably know how to communicate? But I I thought, because I've taken a lot of communication courses, and I thought I understood communication, but as I'm reading this book and listening to this book, I realized that some of the commution communication skills I had as a CISO were not as effective as they could have been. And my CIO told me that on a couple different occasions, and I was kind of a little bit offended by how he said it and what he said, and therefore I kind of didn't dismiss it, but I didn't take it to heart as what I could have. And so this book, The Next Conversation, is from a trial lawyer, and this guy's name is Jefferson Fisher, and there's his picture, right? Big, beautiful boy. And he's there doing his his thing, but he's a trial lawyer who is trying to listen to and understand how people talk and understanding how you should say things. And there was tells on myself that I thought were extremely valuable. One is if you say you're sorry, don't do it just to say you're sorry because you goof something up. Say it in the fact of just empathy or that you truly are sorry about something that occurred, not that you made a mistake and go, oops, I'm sorry. Have different words on how to say that. And and the other words that are very helpful on not using so many adverbs or different adverbs within your sentences and how you write emails, how you respond to emails. So I say all this just because, again, my CISO, or as a CISO, my CIO had some challenges with how I communicated and was trying to help me, and I didn't quite take it to heart because I didn't really understand what he was getting at. I did, but I didn't. So this book is an awesome book. I highly recommend it. It's going to help you, one, with your relationships in business as far as being in cybersecurity, because as we know, in cybersecurity, talking to leadership sometimes doesn't go well. This will really help you with that. The other thing it'll help you with, it'll help you in your relationships with your partners, your spouses, your sisters and brothers. It's really good in that as well. And I'm actually giving it to my kids to have them listen to it. Because it's just, it's down, it's straight talking, what you should do, how and scenarios on how you can change the tune so you don't get into arguments, you don't get into heated conversations. It can help you diffuse some of that. So really good book. I know I've straight spent a little bit of time on it, but I just I highly recommend it. Again, the next conversation, argue less, talk more by Jefferson Fisher. All right, so now let's get started on what we're gonna talk about today. Okay, CISSP Rapid Review Exam Prep Domain Six. This is focused on security assessments and testing. So as we look at the breakdown for this domain, domain six, it's 12% of the CISSP questions are focused on this specific domain. So it's a little less than the average of around 13%, and it's not as much as domain one, but it is still substantial. And they, again, like we've mentioned time and again, they do this so that the overall question base is very consistent across all eight domains. But before we get into the heat of the matter, I want to just kind of put a plug out there for CISSP Cyber Training. Go check it out. I've got gobs of podcasts that are available to you. I've got a month free to um three to five month plan. There's 360 questions that are available to you. I have all kinds of content that is free. And it is a free bucket set up specifically for you with all kinds of stuff in there to include all the rapid review questions or view videos and all of that that's aspects of it. There's also paid resources. There's over 50 hours of CISSP content so that you can be prepared. I have over 1,500 questions. Is that going to be close to 1,700 here soon? Um, there's curated video and content. The one thing I wanted to stress stress with is you can go online and get all of the CISSP content that you want for free. You can find it in all different places. And in reality, you can get almost everything you need from me for free. But what you don't get from the paid side is a curated piece of it. All of it is curated, it's set up specifically for you. I've got blueprints that are set on a three, a five, and a uh, or I should say a three, a four, and a five month uh plan. I'm also developing a seven and a 14-day boot camp that are going to be set up specifically for you as well. Those are all gonna be created. I've got probably about halfway done to two-thirds done with those right now as we speak. So all of that's gonna be available to you for the CISSP. We got deep dive products, mentorship, and then your virtual CISO or IT leadership consulting is also available. So all of those aspects are available at CISSP Cyber Training for you to do it. So lots of free stuff, and then also some really great paid stuff. So let's roll into domain six, and we're talking six.1. This is design and validate assessment, test, and audit strategies. So again, we're dealing in with security assessments and testing. So this is going to be a big factor in what we talk about today. Obviously, so we're gonna we focus on assessments and audits. We have different types of uh versions of this. You have an internal, external, third party. Now, the internal piece of this this is conducted by an organization's own employees or an internal audit team. Now you may not have an audit team within your organization, so you may need a to grab a group of folks and set them up to do an internal assessment or audit. Again, the terms will determine are based on your company. Typically, the audit term is not used for internal type of assessments, uh, but again, they they they are used interchangeably in many different ways. This focuses on evaluating internal controls, policies, and procedures against established standards. I highly recommend that you do an internal air quotes audit prior to any sort of external audit coming into your organization. One, it will help prep the space, and we would always say in the military, the battle space. It'll prep the space uh for when these auditors come in and they start asking deep questions. Because if you can do it ahead of time, you actually can set yourself up very well so that the audit that comes in from a third party is relatively smooth and seamless. Or you can be focusing on the things that you that they found for you. Because that the thing is you're gonna find areas within your internal audit that you want to address. And so now you can address those. And then when the external auditors come in, they see that you did your internal audit, they see that you're addressing those issues, they will probably, most likely, not always, focus on other areas within your company to help make you better. So again, it's really good. That's performed by independent third-party organizations as the external audit, and which we just kind of briefly got into. These different organizations can be the high-end PWCs, Ernst Young's, uh, the Deloitte's, they can be all of these folks. However, they don't have to be these folks. Uh, there's plenty of independent auditors out there that can help you. Company I'm working with at Nextpeak, we have plenty of folks that can help you with your assessment and audits as well. So it doesn't have to be the big boys and girls. Uh, you're just gonna you're gonna pay for a big boy and girl price if you do that. Uh, there's other organizations out there like Nextpeak, uh shameless plug. Uh the reason I say that is because they we bring in experts like myself that can help you with those audits, and we can have a different perspective. In many cases of the big third parties, such as the Ernst ⁇ Young's and the PWCs, they may bring in a subject matter expert at the beginning, but then they will most likely defer that back to analysts going forward. So you may not get the same level of care that you would with a smaller boutique type of organization. They provide unbiased evaluation of your security posture, often for compliance certifications or assurance to external stakeholders. This is the external one. And again, there it's a really good process if you're organization one. If you're regulated, now not all organizations need to have an external audit. You may be right in a regulated type of environment where it requires that. That's different. Uh if you decide to do an assessment external that it isn't regulated, it's costing you a lot of money, and you got to ask yourself, is that really a valuable tool? If you can do really good internal assessments, you don't necessarily need an external assessment unless, again, it is required through compliance by some sort of regulation, or maybe even I will say there's sometimes vendors to work with you, they will require a third-party assessment, or they'll require some level of certification, such as SOC2. So that you've got to kind of play all that out in your business. What is your business model? How much, what is it, how does it work? How do you make money? And those are the types of aspects you'll have to be aware of. Now, third-party assessments. So we have external assessments, and then we have a third-party assessment. These assessments and audits focus on evaluating security posture controls and external service providers, vendors, and partners. So you're just basically it's a third-party assessment of your third parties. So you may be, you may hire the PWCs to actually go do an external assessment of your third party folks. Uh, this has all works out a lot in supply chains. There's a lot of different regulations that are starting to require a better understanding and analysis of your third parties. In the past, you would send a security assessment to a third party saying, hey, are you doing these things? And they're going, Oh, of course we're doing these things. And so you're like, okay, cool, everybody's happy, nobody, no big deal. And then somebody gets poned, and then that is a big deal. So it's one of those pieces where you may want to consider if you're having some level of third party uh assessments, uh, you may want to consider doing that to your organization or doing to these to your third parties. Tell them up front this is coming. No, it's going to cost you money. Uh, it may be as simple simple as we would actually go do as an internal person, I would complete an assessment of a third party on a behalf of my company. So I'd fly out to the location, I would do a third-party assessment of them, and I would then in turn file a report and send it to my senior leadership. This was for we only did this for our critical suppliers, ones that maybe have had intellectual property or were incredibly important to our organization. Then we would do those by us. Now I I've never paid for a third party to do a third party assessment, uh, but there is that ability as well. Uh it ensures that third party risks are adequately managed and aligned with your organizational security requirements. So again, you're you have three different ones internal, external by a third party, and then third party, where somebody, internal or external, is evaluating the third party. Okay, domain 6.2. Conduct security control testing. So we're going to begin into vulnerability assessments. Now, what is that? So that's a systematic process of identifying security weaknesses in systems, networks, and applications. So you're actually doing a check of your looking at all the different kinds of vulnerabilities within that system. It uses automated scanners to find known vulnerabilities such as patches, misconfigurations, and so forth. Many times I've used this where I'm looking for a misconfiguration, or uh the application will you allow you to authenticate and be an unauthenticated user to it. So you're looking for all the different things that could cause you problems. Now, I will warn you if you've never done this, and we've talked about this in our trainings, that if you've never done this before, you and you go and you turn on a vulnerability scanner, it will light up like a Christmas tree, and you'll go, oh my gosh, what am I gonna do? And yes, that can be a bit overwhelming. So I would highly recommend that if you're gonna do this and you're in the initial stages of this, you let leadership know, yeah, this is gonna be ugly, just so you know, and we're gonna triage this appropriately, but it's gonna be ugly. And that way, when they do see the report, and I would highly recommend that you don't send everything to them, but when they do see the report, it doesn't freak them out terribly bad because of the fact that you've already kind of set the stage that this is going to be ugly. So again, vulnerability assessments, great thing. You should have a vulnerability assessment program within your company. That needs to be defined. It can be very simple or it can be very complex depending on the size of your organization. But it uses automated stuff, it's got processes in place, and you can use a lot of different tools today, are much better than what I had when I first started up my vulnerability assessment program with my company. Penetration testing, this simulates real-world attacks to identify exploitable vulnerabilities and assess the effectiveness of your security controls. Um, this can be a black box, which basically means no prior knowledge of what's going on. It can be white box, which is full knowledge of what's going on, or a gray box, which is limited knowledge, which, you know, makes sense, right? Um, I've done all of those, gray, white, and black. And those are very they all have very different types of pen tests. They all have very different rights or reports, and they also get very different responses. Some are like, oh yay, thank you for telling me. Some are like, uh, get out of my building. I want you gone now. Which was not good. Yeah, that one was not so pleasant and positive. But many of them are very positive because they call you in to have that done. So therefore, penetration testings are a really good aspect for you should do these. Now, you're they're going to be targeted, they're going to be on limited areas, and I would highly say that if you're going to use some sort of penetration test within your company, you have it very scripted, you have it very defined, and not scripted on what they're going to do, but scripted on what are the guardrails in which they need to operate. Because penetration testing can go really quickly down a rabbit hole and can go ugly. And so it's it's imperative that everybody is on board with the same sheet of music when doing a pen test. Log reviews, these are systematic examinations of security logs for various systems such as firewall, servers, and applications, to detect any sort of suspicious activity or anomalies that you may find within your organization. Log reviews can be done manually, which I do not recommend, or they can be done automatically or automagically. And I would say yes, you should do automagic, most definitely. And you need to incorporate these log reviews into a sim of some kind. And this is your security information and event management system. There are various SIMs on the market. I help companies with their SIMs or more or less their security operations centers setup. And so there's a lot of different things that these SIMs can do for you. They're much better than they have been in the past. But at the end of the day, you still need people to help triage these types of alerts that are going to be going in. And you need to have an architect help you with your overall log reviews as far as setting up your logs so that they can go into the SIM correctly. But again, those are control security control testings of vulnerability assessments, penetration testing, and log reviews. Now we're going to get into synthetic transactions. These are simulated user interactions with applications or services to monitor performance, availability, and sometimes security, right? So that the one with the security would be ensuring that your login process is actually working well. Now, synthetic transaction, again, just like it states, it's simulated user interactions. Ideal in the development world, you have user acceptance testing that's occurring. It's very similar to this. They they walk through what would the end user be expecting to see when they're clicking on the links. And that would be the same type of situation. It does help detect outages or performance degradation before real users are sometimes affected. So there's lots of different pieces in this. Now it's not the same as user acceptance testing in the web world, but it's just a synthetic kind of thing. What occurs? Are we causing any outages? Are we causing any blue screens of death? These are all the types of things when you're doing a synthetic transaction. Code reviews and testing. Code review is a manual or automated examination of the source code to identify security flaws, logic errors, and adherence to secure coding standards. You want to develop this in a way that is tied to your CICD pipeline, which is your continuous integration and continuous development or environment. And therefore, you want to have code review built into this. It can be done in an auto- I would highly recommend you do an automated slash manual peer review of the code that's going in with that you're using. And I say that in the automated piece of this to look for any sort of flaws that the machine can figure out, i.e., the AI piece of this can do a lot to help you find any sort of vulnerabilities that might be in place. So we'll use, for example, an input validation error. So say, for example, you have an input validation on a web form and you are, it's typically for your first name, and the first name field length should only be, let's just say 27 characters. That's a number we're going to pick. And you shouldn't have it any more than 27 characters. Well, the AI will figure out that, okay, when it goes and is reading the lines of code, that it's only should be 27 characters. But right now you left that as null. You left it as open. So if that's the case, it will flag that saying, hey, yo, bro, you need to go fix this. And so that's something where the automated piece of it can help. And where it gets lost with when you're doing peer review of code, it's easy to lose, to not see that. It's extremely easy not to see that. So let the machine find those areas, areas that are easy and the air quotes low-hanging fruit, right? So that's the easy to grab off the tree kind of stuff. Next one is unit testing. Testing individual components or functions of code for security vulnerabilities. That's the unit testing. And then integration testing is basically how is it all talking together? Testing the security in the different modules, services, and how they would potentially interact. So that's code review and testing. You're gonna need to know that for, and if you haven't done code review, that is good. That's fine, but you're gonna need to know for the CISP. So I would highly recommend that you go into the different volumes that I have at CISCP Cyber Training and focus on that if you've never done it. I'd say that's probably one of the biggest areas that people miss that I've talked to is they don't have a lot of development background. So the code review piece of this and anything dealing with the coding side, which is domain eight, can be a bit of a challenge for them. Misuse case testing. This is a testing methodology that focuses on identifying how a system could be misused or attacked by a malicious actor. So again, you're using it as if you're a bad guy or girl trying to figure out how to break in. And this is, you know, you're like I mentioned for input validation. That would be something that somebody might test against. So it involves creating scenarios and describe how the attacker might exploit the various vulnerabilities. So this is a next level of threat analysis. And you're this is where you're planning your threat of the threats that are out there and how you're going to address them. This is a high level, if you're doing this, you are top tier. You really truly are. You're in if you're doing mis-use case testing, you are really taking your area to the next level. Now, this if if this is also a maturity thing. If your organization is not doing this, that's fine, but you need to start maturing yourself to get to a point where this is an area that you can be doing without any issues. Test coverage analysis. This measures the extent of which the security tests cover the application's code, features, or attack surface. It helps identify gaps in your overall test analysis. So what it comes into is of your overall test coverage, how much are you covering for your entire organization? And maybe you're not covering the entire, maybe you're just looking at your web front end. Uh and that, or anything that's front internet facing is the only thing you're actually looking at. That could be a problem. What are you doing internally to help with that? Interface testing, this is probably one of those that I feel is so strong within many organizations. And this is focused on the security of communication between different systems, components, modules, or applications. APIs. I love APIs, they're the best, right? Um, APIs are wonderful for organizations. However, they can also be the nail that puts it's in your coffin that buries you in the ground because they can go bad quickly. And having a good plan around APIs is an important cert plan to do. You just really need that. Uh web services, do you have web front ends, but which is great. You have an internet-facing website. Does that interface, that website, does it have any sort of back-end communications back into your network? Are there any sort of VPN tunnels or there are any sort of IPsec tunnels that come from outside your web services that actually come back into your network? And why? Because in many cases there are those tunnels in place because people needed to push updates to these web services. And that's fine, you can have those, but you need to have a good security review of in this case, let's just say you're pushing updates to the web services. It's a push, it's no pull. You can't get data back, you can only push data out to it. That's a really good security model because you're pushing data out, and they can nobody, if they get access to your web services, they can't come back in. But that takes some really strong architecture on how to best do that. And I would highly recommend that you consider that if you have an internet-facing website. Conduct security control testing. This is where you have breach and attack simulations. They call them the bass. You know, here I'm here in the Midwest and we fish for bass. That's what's a big fish that's got gills and a big mouth. Um, but no, this is not the same fish. This is a breach and attack simulations. These are automated platforms that continuously and safely simulate various attack scenarios, such as phishing, malware, lateral movement, etc. And you do these against your organization and to test their security controls. Now, this is again maturity level ratcheting up. This is a very, very leading edge kind of thing. Now, it does provide continuous validation of security effectiveness without the risks of a full penetration test. So, what are some risks with a full penetration test? Well, one is I would say we always used to call it the ghost in the machine. And what it is is that you're going out there and you're doing a pen test of, let's say, system X, and then all of a sudden somebody is saying, Oh, we lost all connectivity on system Y. Hey, guess what? It's got to be the hackers. They're doing it. The pen test did it, shut it down. Okay, well, that is usually not the case. It's I have had seen it where you're over here mucking around in X and it does affect Y, but for the most part, that isn't the case. So that can cause problems. The other thing is the penetration tester going in and doing something they shouldn't have done, or maybe going a little too far because the guardrails weren't set up. That can cause risk within your organization as well. Because most times when they're working as a pen tester, uh they're going in with high-level credentials and they can do really bad things. Whereas in the breach and attack simulation model, there isn't that same level of risk because it's all done in a simulation, not in an actual environment. Now, compliance checks, there you need to verify that systems, configurations, and processes adhere to the specific specific regulatory requirements, and that's a part work you're dealing with. What you're doing is it meet what your compliance needs are for your organization. In the case, are you dealing with the Coast Guard? You're dealing with um what I was dealing with, NERC SIP, are you dealing with the various financial industries, NYDFS, all of these different types of people, are you working with them? And if so, uh do you have, are you meeting the compliance requirements that are assigned to that? It also involves automated tools to audit configurations against predefined baselines. Okay, domain 6.3 collect security process data. This is for technical and administrative. So account management. You want to regularly review and audit users'. Systems and service accounts. You want to go over all of those. This will help you ensure that your provision properly provisioning, deprovisioning, and the modification of access rights are followed as specified by your company's policies. So this is where account management is really important. This you should regularly review and then audit user systems and the service accounts. I say you should. And I would highly recommend as a foot stomp thing in the military, when there was something on a test you needed to remember, the instructor would foot stomp, would like pound their foot on the ground saying, um, may want to pay attention to this. You may want to pay attention to this account management piece. And I'm not saying because of the test, because you know what? The test is super random. Um, and anything I tell you will, I mean, if it's gonna be on the test, probably won't. My point of this is that you need to be prepared to understand account management on the test and in life because you will want to review and audit your user systems and especially your service accounts. Uh, it does. It ensures proper provisioning, deprovisioning, and modification of access rights are followed. If you don't do this, this will burn you, I guarantee you. And even if you do it, it still may burn you. But if you don't do it, you're really gonna go up in flames. Just you might as well just put some gas on the fire and light a match because it's gonna be fun. Because if you're around when this happens, life is no fun at all. Management review and approval. This is a formal process for management to review security assessment findings, audit reports, and risk analysis. You need to have a formal process in place on how you're gonna feed them these reports. This requires explicit approval of risk acceptance, remediation plans, and policy changes. This is an important part. Again, this comes back to the book that I recommend. Um, if you're gonna be doing any sort of the Jefferson Fisher next conversation, you have to have a good conversation with your senior leaders on how to understand risk acceptance, remediation, and policy changes. You need to know that. Uh it's and you need to set that up specifically with your senior leaders. Do not wait for the time when the balloon goes up and everything is falling apart for you to say, where are we at with risk risk accept acceptance? You need to know that going into it. KPIs and KRIs. So this is what we're dealing with metrics. Metrics are an important, incredibly important part of your organization, and you need to follow metrics as much as you possibly can. Now, this define and track metrics that provide insight into the effectiveness of security controls and the organization's risk posture. So these are the key P KPIs are key performance indicators, and KRIs are key risk indicators. Some examples around this would be your mean time to detect MTTD. This is an important part for you to know within your organization. This, your security operations folks would know this. Mean time to respond is how fast you respond. Uh, vulnerability density, percentage of patch systems, etc., etc. Now you're gonna want to know that these kind of the KPIs and KRIs, they're different for each depending on who is getting the presentation. Your board of directors, you may want MTTD and MTTR. That would be something they would be interested in. The vulnerability density and percentage of patch systems, maybe, maybe not. You want to keep it simple and straightforward, but really comes down to the overall risk to their organization. But you need to define what these are. Do not, I repeat, do not skimp on your various metrics for your company. You need to do this. I've seen companies that don't have metrics and it's a poo show. It's not good. Ones that do have metrics, they are doing well. And they they at least know where their risks are at. Now, does that mean they're perfect? Heck no. Does that mean that they won't get pwned? Heck no. But they are in a much better position to be able to weather the storm. So again, I've I've probably beaten that drum a little hard. What I'm trying to say is metrics are probably one of the areas that people metrics and vulnerability assessments are two key areas that most companies do not do very well. Backup verification data. This is where you regularly test backups and recovery procedures to ensure data integrity and the ability to restore critical systems. You document verification results to demonstrate recovery capabilities. Bottom line is you need to have a backup verification point. Are you going to ensure that you have your recovery procedures work? And are you going to ensure the integrity of the data that's being backed up? You need to make sure you have a plan and of the process by which this will operate so that you have you feel confidence in that when this data is being backed up, it is fully free of any sort of malicious code and that the integrity of the data is going to be solid where it's being backed up to. Because the last thing you need is to go and restore your data with corrupted data or corrupted backups. Oh my goodness, that is not a fun place to be. Been there, done that, got the t-shirt way too many times. So something to consider there. Training and awareness. Assess the effectiveness of security education, training and awareness programs. You need to have a good, this comes back to metrics, you need to have a way to assess the effectiveness of this. We use one real ill real simple way. Now, this is a very good way that you can use within your company is the mean time to report. Um, so what how fast do your people report an incident? So you start off a phishing campaign and you've been training them on reporting and reporting and reporting and reporting. And then what ends up happening is when the phishing campaign kicks off, how fast do the employees report the incident to the service desk? And I we would consider that if somebody's reporting it, the odds go up substantially that then we would turn that you could stop the phishing attack before it affected more people. So we use that as a metric. Is that gonna be perfect? No, but it does give you some level of response to see how your employees are actually responding to the training that they've been given. Measure employee understanding of policies and their ability to identify and report security threats. So this is also another part where when you're dealing with training and awareness is to understand their policies and are they following the policies and are they actually doing what your policies call out? Disaster recovery and business continuity. This conduct regular exercises and tests of your DR and BC plans and evaluate the organization's ability to recover from critical operations and systems after a disruptive event. So this is an important part that you need to have within your organization is DR and BC. Now we'll call this out in other areas within the CISSP, but again, DR is your disaster recovery for your business. Your BC is what allows your business to run. They're two separate entities, they are not the same. Unfortunately, people will use them as similar terms. Uh they do affect many times they do affect many uh additional aspects within your company that you but when it comes right down to it, DR is company wide, disaster recovery is company wide, business continuity is focused on sustaining the business itself. And you may have BC plans for various parts of your business to ensure that that part is up and running and making you money because that's the ultimate goal of business is to make money and to create a profit. All right, domain 6.4, analyze test output and generating reports. So when you're dealing with this, you have the remediation. This is the process of identify addressing and fixing identified vulnerabilities or weaknesses in the systems or processes. And again, this kind of comes back to what we talked about before, where you're having a report that deals with how you're going to address these vulnerabilities. And this involves applying patches, reconfiguring systems, updating your code, or implementing new controls to eliminate or reduce the risk. Now, one thing to consider that you will run into and you go to a new organization is that these systems they may have are outdated and you can't patch them. You are gonna have to work with your architects to come up with a solution around this. And I've done it, it's possible, it just takes a lot of work and a lot of effort to make that happen. So if you can avoid these older systems and have new systems, great. Then you're in a much better position of protecting your company. If you go to a company that has a lot of old and outdated systems, you're gonna be busy. But the great part about all that is that you know what, they're so old they probably won't get hacked. Wink, wink, right. Uh-huh, sure. So that's the that's the argument going into this a lot of times. I was dealing with the system that was from the 1970s. And I would say because it's 1970s, uh, it's probably on the side of it won't get hacked because uh nobody even knows that code. However, uh the problem is that they're also held together with baling wire and toothpaste, or not toothpaste, but yeah, duct tape. That's it. With baling wire and duct tape. Uh so yeah, any bad little thing, if you breathe in the wrong direction with those, they sometimes tip over. So again, you got to look at your organization and what you've got and then try to figure out how to best deal with it. Prioritization of remediation efforts is based on risk assessments, which you will accomplish, and this comes down to likelihood and impact and the criticality of the affected asset and any sort of regulatory requirements. Again, regulatory requirements will dictate a lot in your life. They're put in place in many ways to help kind of guide people in the right direction. Uh so don't look at them as a negative. Uh, they just really aren't. There are unfortunately sometimes they are because the people that are evaluating you are very checklist driven and they don't understand necessarily the risk. But if you use them as a great guidepost, you are in a much better position to deal with the regulators if you follow much of what they do. And if you have good reasons why not to follow it, that is okay too. In most cases, I should say, at least in the interactions I've had with regulators, they are very open to looking at this from a business risk standpoint, and they're open to challenge. But you got to have a plan before you just go in there and say, I'm not doing it because I don't want to. Yeah, that won't work. Uh exception handling. This is the formal process for managing situations where an organization cannot or chooses not to comply with specific security policies, standards, or controls. This requires a documented justification, like I just mentioned, to and a clear understanding of the residual risk that is often implemented for compensating controls. So you got to deal with residual risk. There's a lot of inherent risk and residual risk, and you're going to have to work through each of those depending upon the compensating controls within your company. Uh, this can be there's exceptions to all rules, and you need to have them formally documented and managed. This requires formal approval of appropriate management fields. This would be risk committees, your CISO, and regular review of to ensure that the exception is still valid and the compensating controls are effective. Again, you must have this in place for your organization, especially if you're dealing with any sort of exceptions. Exceptions will happen. You're going to need exceptions, but it needs to be documented. And then also, what is your plan to avoid or to fix the challenge that you're dealing with? This has to be signed off by all people that are important within your company. I said important, I shouldn't say they've with influence. Everybody's important, everybody has merit. It's just the folks that have influence and have decision rights within your organization. That is the people that need to be signing off on all of this. Ethical disclosure. So this is where the process that is set up for communicating identify vulnerabilities to all affected parties in a manimize in a manner that minimizes harm. So we've seen this and we've talked about this on CISSP cyber training multiple times, that you know, there's effective uh ethical disclosure that companies will do. There's a way to do this. And much of it just really comes down to is just being a good human in the fact that you give people a heads up that this is coming, and then they give them timelines in which they need to get it fixed. And if they don't do that, you give them a warning. If they still don't do that, you release it. That's the point. You've done your best to for ethical disclosure. Because I've seen this with the manufacturing folks in the past where we've seen vulnerabilities and we've reached out to the manufacturers of the various uh operational technology uh tech networks and the various technologies that are tied to operational side, and they have not taken uh what we should say a advantage of that knowledge. And therefore, because of that, what ends up happening is is you if you don't then say, well, we're gonna release this. The problem with releasing it if you're as you're a business owner is bad because now you're on the hook for being in a situation where uh you are liable. So you wouldn't do this as a business owner, but you'd find ethical hackers that would go in and maybe help kind of push the situation. Uh that again, that's something you'd have to work through to kind of make that happen. I found it out when I was with uh my organization, we found some vulnerabilities, and these vulnerabilities were substantial, and we reached out to the to the manufacturer, and the manufacturer did fix them. I will give them credit for that. They did fix them, but it took them like eight months to do it. I had talked about ethical disclosure to my CIO and to our COO, and they were not a fan of it, and I can understand why, because it puts us on the hook for risk. So we just basically looked at the problem and we mitigated the problem as best we could within our organization. Once it was patched, hey, life is good, we're back to normal. This typically involves a coordinated approach where you notify the vendor privately first, providing them with time to develop a patch, agreed agreeing to a disclosure timeline, and then publicly disclosing only after a fix is available or a reasonable time has passed without vendor action. This allows users to best protect themselves. Again, you want to consider who would do this. As a business owner, you probably would not do that because it opens up you up to a lot of risk. But your legal team may tell you something differently, because that's where I come back to. Legal was my friend. I talk to them a lot, and they're the ones that will help you in this space. It adheres to the principles like minimizing harm, protecting society, and acting honorably, as per what we talk about, the ISC Squared Code of Ethics. Again, being a good human. If you just want to be a good human, that fixes most problems. Hey, you know what? You've got a problem. I'm gonna give you time to fix it. And oh, here's the time to fix it. If you don't fix it, I'm gonna I'll tell you again to fix it. But if you still don't fix it again, I'm being a good human to protect my other humans, I've got to release it. Make sense? Right, be a good human. All right, conduct or facilitate security audits. This is number five. So, internal, this is where you would do an assessment performed by an organization, right? We talked about this, and you're evaluating internal controls. Again, this comes back and we're kind of doing the same thing we talked about in 6.1. But the benefit is, again, we're talking about internal audits. This provides continuous insight, fosters internal expertise, and can be more cost effective. So when you're taking the CISSP exam, just know that in 6.1, they're going over this a couple different times, and they want you to know it for a reason. The external ones, we talked about, these are conducted by an independent third party, and it provides unbiased, objective evaluation of the security posture and is often required for compliance, such as ISO 27001, SOC 2, etc., etc. And these guys and gals that come in and do this, they provide a really good, fresh perspective on what you should know. However, like I said, if you go the sometimes these folks that come in are just going, they're very junior, they're very young, they're just getting started, which is great. They got to find a place to get started, but then they're going checklist, option one, do you have this? Option two, do you have this? Option three. And you're going, yep, yep, yep. Okay, okay, we're good. Have a nice day. No, they don't dig into the details of it sometimes. Now, as they get more seasoned, then they know what are some of the questions to ask and what are some of the follow-on questions to ask. But once they get a little bit more seasoned, like everybody else, they want to go earn more money and do more things, and so they go to a new opportunity. And so then they're back to the square one again with a new person. But again, there are at least it's something, it's valid. Now, I would say sometimes you I've seen this where you get an external audit, you know the results coming in, and you're more or less just paying to have them reaffirm what you already know. Yes, that happens a lot too. And it can get very expensive doing that. We talked about third-party assessments as well. This is where you are going help, it's designed for you to help understand and manage your supply chain risk. Uh, third-party security aligns with the organizational requirements, and you verify contractual security obligations. That's a big one, though, so to keep in mind. So I would go through our security contracts with our third-party vendors, and we had boilerplate language, which basically means it's a template. And this boilerplate language would be all as it relates to security, would be whatever, right? They won't do any harm to us intentionally, blah, blah, blah, blah. But what I did do is anything that is a supply chain, especially it's critical, or has connections into our network, I had another contract that was made that specifically called out what they are required to do in the event of a breach or in the event of a security incident. So you need to have your contractual language understood by your uh your legal team that needs to be really looked at and understood by them. And you need to be well involved with that. Do not rely on the illegal team to do it all. Uh they will not, they I shouldn't say they will not. It's very absolute. They will have a challenge doing it all by themselves because in most cases, not in all cases, but in most cases, the legal teams don't have a strong cybersecurity background, and therefore they may go in a certain direction, which you may want them to go into a different direction. So, again, not all legal teams have a cybersecurity professional, and so therefore, you may have to be that cybersecurity professional, providing them a level of guidance and knowledge around what you have seen and experienced. Uh, again, it manages or mitigates risk introduced by the supply chain, and it helps be in compliance with third-party risk management. Again, the one thing that part they talk about in here as well, it's a point is your organizational's extended perimeter. Your third party, in many cases, if they especially if they have connections into your organization through APIs or through some sort of other connection, they are your organization's extended perimeter. And that's a big deal. And so you need to make sure that you understand what that looks like and how does that affect you and your company. Okay, so that's all I have for domain six. This again, this is domain six or rapid review. And this is uh going over what are you going to need and what you need to understand as it relates to the CISSP and then further for domain six.4. So if you feel confident in all those areas that I went over, like, oh yeah, I got this, I got this, then you're in a good spot. But if you're going, I don't really know what he's talking about there, or I probably could dig deeper into that, you need to go to CISSP Cyber Training, and I can help you with that. Okay, I've got a bunch of free stuff that's out there, free resources that are at CISSP Cyber Training. Uh, I've got study plans, I've got questions, study questions, you name it, I've got it. It's out there, it's free, it's available to you. If you want more curated stuff so that it walks you through step by step by step versus just trying to grab all the free stuff you can and figure it out on your own, you know what? You can go to my paid resources, and that's I've got over 50 plus hours of content covering all the CISSP. It's available to you online while you're driving to work. You can listen to it, you can watch it. Wouldn't recommend watching it unless you're in a Tesla, I guess. But I wouldn't recommend watching it while you're driving. Uh, 1500 plus questions, actually gonna be up to over 1700 here soon. I've actually got a test, a final test question bank that you're going to have available to you. And this question bank will be simulate the exact test itself. Uh you're going to make take a time test and you will then go over 250 questions and you'll see how you do. Again, you're going to have all of that available to you. Deep dive topics, mentorship. I have all kinds of mentorship available as well. And finally, if you need any sort of virtual CISO, IT leadership, or some other level of consulting, I can help you either at CISSP Cyber Training or with my partners at Nextpeak or Cyber Leader Hub. So lots of different capabilities for you and available to you at CISSP Cyber Training. Okay, have a wonderful, wonderful day, and we will catch you all on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora of or conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 363 CISSP questions to help you in your CISSP journey. Thanks again for listening.