CCT 066: Cybersecurity Governance - Mastering CISSP Domain 1.3 with Essential Security Governance Principles

I. Security Governance Principles

These principles provide the foundation for the information security program within an organization.

Security Governance Principles

• These principles provide the foundation for the information security program within an organization.
• This concept stresses the importance of security strategies that align with the organization's mission, vision, and goals.

• Alignment with Business Objectives
1. Strategic Alignment:
• Understanding organizational strategies.
• Ensuring that security goals support and enable these strategies.
• Facilitating decision-making processes between business and security objectives.
2. Business Impact Analysis (BIA):
• Identifying critical business functions and processes.
• Assessing the potential impact of security-related events on these functions.
• Developing mitigation strategies to minimize business disruptions.

• Security Policies
1. Development of Policies:
• Engaging relevant stakeholders in policy creation.
• Ensuring that policies are aligned with legal and regulatory requirements.
• Clearly defining roles and responsibilities within the policy framework.
2. Policy Enforcement:
• Implementing monitoring and auditing measures.
• Developing an enforcement mechanism to ensure compliance.
• Handling violations and exceptions through clearly defined procedures.

• Security Procedures and Guidelines
1. Standard Operating Procedures (SOPs):
• Creating detailed instructions for implementing security controls.
• Ensuring that SOPs are easily understood and actionable.
2. Guideline Development:
• Formulating best practices for security within the organization.
• Allowing some flexibility to adapt to specific situations or requirements.

• Information Classification
1. Classification Criteria:
• Defining clear criteria for classifying information (e.g., sensitivity, value, legal requirements).
• Ensuring consistent classification across the organization.
2. Handling Procedures:
• Developing specific handling procedures for each classification level.
• Including storage, access, transmission, and destruction guidelines.

• Security Education, Training, and Awareness (SETA)
1. Security Awareness Programs:
• Designing programs to enhance overall security consciousness among employees.
• Utilizing various communication channels (e.g., newsletters, workshops, online training).
2. Specialized Training:
• Offering targeted training for specific roles or responsibilities.
• Ensuring that security personnel are trained in relevant technologies, regulations, and organizational practices.
3. Effectiveness Evaluation:
• Measuring the impact of SETA programs on employee behavior and organizational security posture.
• Implementing feedback loops to continuously improve SETA initiatives.

Security Control Frameworks

• These frameworks provide structured methods for managing security within an organization.
• These are some of the widely-accepted standards used by organizations to manage and control their security practices:
1. ISO/IEC 27001
• Overview: International standard for Information Security Management Systems (ISMS).
• Purpose: Helps organizations manage and protect information assets through a systematic risk management process.
• Key Components:
• Scope, Policy, and Objectives: Defines the scope of the ISMS and sets specific goals.
• Risk Assessment and Treatment: Identifies, assesses, and mitigates risks.
• Monitoring and Improvement: Ensures continuous improvement through regular assessments.
• Certification: Organizations can obtain ISO 27001 certification, demonstrating adherence to the standard.
• ISO/IEC 27002
• Overview: Code of practice for information security controls, working alongside ISO/IEC 27001.
• Purpose: Provides practical guidelines on implementing security controls.
• Key Controls: Includes guidelines on areas such as access control, cryptography, information security incident management, and compliance.

2. NIST SP 800-53

• Overview: Part of the U.S. National Institute of Standards and Technology's Special Publication series.
• Purpose: Provides a catalog of security controls for federal information systems.
• Key Components:
• Control Families: Organizes security controls into families like Access Control, Audit, and Incident Response.
• Baseline Controls: Defines minimum security controls for different system categorizations.
• Supplemental Guidance: Offers additional context and information on implementing the controls.

3. COBIT (Control Objectives for Information and Related Technologies)

• Overview: Business framework for governance and management of enterprise IT.
• Purpose: Aligns IT goals with business objectives, providing tools to support governance, management, and assurance.
• Key Components:
• Domains: Organized into domains such as Build, Acquire & Implement; Deliver & Support; Monitor & Evaluate.
• Processes: Defines specific processes within each domain.
• Control Objectives: Outlines what must be achieved within each process.
• COBIT 2019: Latest version, emphasizing governance, management, and tailoring to organizational needs.

4. CIS Controls (Center for Internet Security Critical Security Controls)

• Overview: A prioritized set of actions to improve cybersecurity.
• Purpose: Helps organizations quickly bolster their defenses by focusing on key controls.
• Key Components:
• Basic Controls: Fundamental controls like Inventory and Control of Hardware/Software Assets, Secure Configuration, Data Protection.
• Foundational Controls: Additional controls that build on the basics, such as Data Recovery, Secure Configuration, Data Protection.
• Organizational Controls: Broader organizational processes like Incident Response, Training, and Awareness.

Implementation and Management

• This refers to how these frameworks are put into practice:

1. Selecting an Appropriate Framework:
• Understanding organizational needs.
• Selecting a framework that aligns with the business objectives and regulatory requirements.
2. Integration with Business Processes:
• Integrating security controls within existing business processes.
• Ensuring that security becomes part of the organization's culture.
3. Ongoing Management and Continuous Improvement:
• Regular assessment, auditing, and updating of the controls.
• Emphasizing continuous improvement as part of a risk management approach.

C. Compliance and Certification

• Adhering to the selected frameworks often requires demonstrating compliance, and sometimes obtaining certifications:
1. Understanding Regulatory Requirements:
• Knowing the laws and regulations that impact the organization and how they correlate with the chosen framework.
2. Certification Processes and Benefits:
• Obtaining certifications like ISO 27001 can demonstrate commitment to security to stakeholders.
• Can also provide a competitive advantage.
3. Auditing and Monitoring Compliance:
• Regular internal and external audits to ensure that the controls are working as intended.
• Monitoring to detect any non-compliance and take corrective actions as needed

Security Control Framework Mapping

This involves mapping security controls across different frameworks 

• Purpose and Benefits
• Security control framework mapping serves several key purposes and offers various benefits:
• Alignment with Organizational Needs: Helps in tailoring the controls that suit specific organizational objectives and requirements.
• Efficient Use of Resources: Mapping between frameworks allows organizations to understand overlapping areas and can reduce redundancy.
• Ensuring Compliance with Multiple Regulations: Facilitates compliance with several legal and regulatory mandates by highlighting commonalities between them.

• Common Mapping Challenges
• Mapping between different frameworks can be a complex task, and there are several common challenges that may arise:
• Differences in Language and Definitions: Different frameworks may use various terminologies, making exact mapping challenging.
• Variances in Scope and Depth: The scope and depth of controls may vary across frameworks, leading to difficulties in finding exact matches.
• Complexity of Mapping Process: Mapping requires a deep understanding of the individual controls within each framework, and the complexity may lead to errors or oversights.

• Mapping Methodologies
• Various methodologies can be used for mapping, and the approach might vary depending on the specific frameworks and organizational needs:
• Manual Mapping: Involves human judgment to identify equivalent controls across frameworks.
• Automated Tools: Utilizes software that can map controls based on predefined rules and logic.
• Third-Party Services: Engaging external experts who specialize in control mapping, which can offer an unbiased and detailed analysis.

• Examples of Mapping
• The following are common examples of mapping between different frameworks:
• Mapping NIST to ISO: Mapping the controls in NIST SP 800-53 to the corresponding controls in ISO/IEC 27001.
• Mapping HIPAA to COBIT: Identifying how the COBIT framework supports compliance with the Health Insurance Portability and Accountability Act (HIPAA).
• Mapping GDPR to Specific Control Frameworks: Aligning the General Data Protection Regulation (GDPR) requirements with other industry frameworks like ISO/IEC 27001 or NIST.

Transcript:

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning it's Sean Gerber with CISSP Cyber Training, and I hope you all are having a beautiful day today. Today is an amazing day. Here in Wichita, kansas, we are dealing with record setting temperatures, so you know, it's just awesome. It's just very, very cool. No, not really. It's very hot and very steamy and very uncomfortable, but that's okay. But today we're going to be talking about security governance principles as it relates to domain one. Now, before we get started, one thing I wanted to kind of talk about was some news that is in the news this week and it's around security for critical infrastructure. I'm not sure if you've all seen it. As you're looking to go at your CISSP, you're going to deal with various aspects, and what I'm trying to do with my podcast a little bit is at the beginning maybe talk just about an article or two that I'm seeing out there on the internet just to give you some more exposure to all of the hard work that you're doing to study for the CISSP exam. There's a reason for it, but there's an article out there by ZDNet and you'll be able to see the links of this in the show notes. But bottom line is it's talking about critical infrastructure. Now they'll use a term and you'll see this. You may see this in the CISSP test. If not, you will definitely deal with it as it relates to working with different companies, especially if you're going to be in the manufacturing space. It's called critical information infrastructure or CII. The various countries use it. I think it started with the United States, china has now used it, others have globed onto it as well. But the bottom line is they're talking about what is critical infrastructure for the economies of the world and how to best protect those. In the past we've talked about on this podcast in various times the OT network, or operational technology network typically in the past was not been protected the way it's beginning to be protected in the future, just because it's been very little bit outdated and it's also been in many cases separated from other networks in a more or less what they call a Purdue model, but it's basically separated and set off. But that is changing because, as one, everything's becoming more virtualized and, two, the networks are becoming more useful, they are now becoming a target for attackers, and so it's just talking about in ZD net how the fact and the importance of having an OT attack toolkit is there, that you have understanding and you have expertise within your organization that will help you deal with the various OT threats. Now there's one, there's a company out, there's various other ones, but they mentioned Drago's in there and how Drago's is a tool that is used within the OT space to protect it and it's they're mentioning this company as well and in the fact that you need to have an understanding around protecting of operational technology markets and technologies. One comment they made in here they said there were 605 ransomware attacks against industrial organizations last year and that's up 87% from the previous year. I believe it, totally believe it, and is because they're getting into these. These more older networks are a bit that they're not as well protected and they're also not as updated. These ransomware attacks do run rough shot all over the networks that are in these OT spaces. So if you're going to be when you get your CISP completed and you move on to the next opportunity in your life, you may be dealing with OT environments and it's very important that you look at how to secure those. The techniques are still very much the same. However, the fact of the matter is is that you do have to take a little bit better look at them and you have to be a little bit more cautious about what you implement in these OT networks. But again, it's a really good article kind of talks about what you should protect and what you should plan for, and I would highly recommend it. You'll be able to check it out on the show notes. But bottom line is is that OT environments are becoming a much more targeted than they have been in the past. Okay, so let's move on to our training for today and we're going to be talking about security governance principles. So these principles are this is tied to domain one, dot three, and it is something you will deal with as you get your CISP and as you move on to an opportunity with the company. Now, before we get started on that regarding, I'll let you know you can get all this information at CISP cyber training dot com and all of my information that's provided to you on the videos. The audio is all available at CISP cyber training. You'll also be able to listen to this podcast, obviously the podcast location of your choice. But in addition to that, you can be able to see some of the videos that will be shown up on YouTube. You'll get access to those at some point in time. They're a little bit delayed, they don't come out at the same exact time as this does, but you will see them at some point. So the ultimate goals I'm trying to provide you an opportunity to help pass your CISP, because you know that's what we're here for, right? Okay, so we're going to get into security governance principles and the principles. They provide a foundation for information security programs within a company. They're designed to give you an outline of what you should plan for as you're trying to implement this within your organization, and the concept stresses the importance of security strategies that align with your mission, your vision and your overall company goals, and that's what they need to meet. So you'll need to understand what your CEO's vision is or, however, or even maybe your manager, depending upon where, how big of an organization you have and your overall responsibility in it. But you want to over understand your company's overall vision and then tie your security program to your company's vision and ensure that it meets the needs. So like, for example, if your vision of your company says that you want to protect our personal personal information is of utmost importance to our company and you don't implement the policies that protect that, well then you know you're kind of not really meeting what your bosses want you to meet. So it's important that you do meet those. You do match them up. They do agree, when you're putting out your, your policies and your standards, to what your company's mission, vision and goals are. So we're going to break this down into some different buckets. The first one is alignment with your business objective. Just kind of, like I mentioned before, you need to understand your organization's strategies, so you need to have a strategic alignment. What are they trying to do? And you need to ensure that these goals that you've provided do enable these strategies for your company. So, like an example, like I said about the, the personal information, if your policies will help enable the protection of that information, then you are meeting their goals. That's what you want. However, if your ultimate protection is the protection of youtube, then your company wants the protection of people's identities. Well then, you're really not meeting their vision. So you want to ensure that you have a strategic alignment with your senior leaders and with their vision for the company, and this does ensure that there's facilitating of decision-making processes between the business and your overall security objectives. So again back to strategic alignment. You need to make sure your governance program matches with what the company wants. The other one is a business impact analysis. Now, again under the business objectives, what do you need to do? You need to look at what they call a business impact analysis. Now you will do some of these as a practitioner of the security force and the security space, and you'll need to identify critical business functions and the associated processes that go with it. And that's a bia. This does assess the potential impact of any sort of security related event that may happen against these various functions or processes. So it basically comes in and you say, um, I have this most incredible process that makes my company work. Well, you need to look at if this process is so important. So let's say there's a computer and this computer is the sole computer that makes your product move from point a to point b, and if that computer goes down, then your process does not happen and you start losing gazillions of dollars of money per day. That would be part of an impact analysis. If this system goes down, what is the impact to your company? And you need to understand that. What you're going to learn is, as you ask these questions and you build out a bia, there's going to be things that come up that you're going to go. We didn't even know they existed and that they were that much of an impact to your company. So once you do a bia and you develop what those functions are, you understand what they are, what the impact to these your company could be. Then you need to develop a mitigation strategy to minimize the overall business disruption that may occur. So it's it's just a really important that you understand how could it actually impact your overall company. Then you'll develop security policies. These policies will engage in relevant the relevant stakeholders in the overall goals and you need to make sure you get with them before you create a policy. So if you create a say, for instance, your stakeholders which are the people that your, your senior leaders, the ones that are running your company if they don't care, if you use usb's within your organization and you become draconian with usb's and say you cannot use them, you can't do anything with them. Um, and the the senior leaders, really don't care. That is kind of in contradiction to what they're wanting to do. Now that doesn't mean you shouldn't do that, but what happens is it will breed some sort of hate and discontent for the security folks and they will end up going to their senior leaders and it's not aligned with what they're trying to accomplish. So you need to make sure that these policies are aligned with what their company wants to do. You also need to make sure that the policies are legal and they meet the regulatory requirements around what your company is trying to accomplish. So, as an example, let's say you are in a highly regulated industry, and let's financial industry, for example, and you put out policies that do not meet what this regulated industry needs, because there's various COVID says an example or HIPAA. They have requirements on the use of USB drives or the use of sharing of personal information. If your policies don't match up with those, well, and you're in a regulated environment, that's not good. So you're going to need to make sure that you have that done and you understand the legal and regulatory aspects of it. And then, lastly, you need to define clear roles and responsibilities within the policy as well, so you need to make sure that those are all specifically defined. So, again, when you're dealing with policies, you need to make sure they're engaging to the stakeholders, they ensure that they have legal and regulatory requirements and they have clearly defined roles and responsibilities within the overall framework. Now, when it comes to enforcement, you need to implement monitoring and auditing measures to ensure that you are following your policy. So, as an example, you may have policy on no USBs. Well, you may use CrowdStrike or some other product that's an EDR or end point detection and response tool that will then alert on the event that somebody uses their USB drive, and you want to have some sort of enforcement around those policies. Now, again, you want to also develop a mechanism that does this in an automated way. You don't need somebody being the USB police that's going around from hey Bill, why did you use your USB? Hey Fred, why did you send this email to George? You do not want that. That is a terrible place to be and it is not fun and it will drive you insane, so we don't want that. You need to have an enforcement mechanism that is there and available, but you really truly want it to be automated in some form or fashion. On the enforcement side, you also want to have something that will handle violations and exceptions through a clearly defined process. I get this all the time where people will ask for a USB exception for whatever they're trying to accomplish. And if they're asking for a USB exception, then what is that? How do they? What are the processes they have to go through to get access to a USB or to be able to transfer data from their computer to a USB device? You'll need to have those in place as well. So, again, under security policies, you need to have development of the policies, policy enforcement, and then those are the two main buckets in them. The next area is security procedures and guidelines. Now, in the securities procedures and guidelines aspect, you're going to have what they call security operating procedures or standard. I should not say what am I saying. I'm talking standard operating procedures, sops, your standard operating procedures. These are detailed instructions for implementing the security control and you need to ensure that these SOPs are understood easily and are actionable by people who are reading them. Now I'll tell you right now. Sops can be a little bit challenging and daunting. They need to be part of your overall plan, but you need to start small. Sometimes you may come into an organization after getting your CISP and you'll go okay, we need to make SOPs, and you'll see how many years that they've never made them and you'll be overwhelmed. What you end up doing is make one at a time, do one a week, make one before you know it, 52 weeks. You'll have your SOPs done. So you just need to focus on the small things to try to get those accomplished. Now you also need to create what they call a guideline, and the guideline development is these are the best practices for security within your organization. So you have standard operating procedures and you have guidelines, and these best practices are extremely valuable. And I'm globbing onto the USB one just because it's a little closer to my own heart the fact that I've got USB policies in place and I had an individual ask me hey, what do we have in regards to a like best practices for USBs? What kind of should we use? What should be the, the overall protection mechanisms associated with them, so on and so forth, and that is something that would be fall under a guideline. Now, this does allow for flexibility to adapt to specific situations and requirements. So, as an example, with the USBs, if you have a guideline that says that for you to transfer highly sensitive data you need to use a FIPS, fips 140-2 standard or similar or a FIPS 140-3 standard or similar you use that kind of terminology. What that basically happens is is a FIPS 140-3, which is like you're all going oh my gosh, I'm a very fall asleep and run into the ditch as you're driving and you're listening to this podcast. A FIPS 140-3 is an encryption standard that's used by in the US government. They come up with a standard that is, if you maintain this encryption schema, it will protect your data. So you use that. So then, when somebody goes to Amazon or to whatever location they want to buy a USB drive, they already know that the FIPS 140-3 is a standard, and so, therefore, they need to do it, and that guideline will help, or the procedures will help, define that for them. I should say the guidelines will help define that for them. Okay, so now we're going to move into information classification. The classification criteria is something that you're going to need to deal with, and this classification criteria will determine the sensitivity, the value and the legal requirements around protecting the data and you need to have a classification schema across your organization. No, an example of this could be you have, you have unclassified, you have secret, you have top secret, you have Uber most sensitive secret, whatever. You have a classification schema that you will follow for your organization and you need to define what that is. You need to define the criteria in which you can make the information classified, whatever that might be. Then you need to have handling procedures. So you have classification criteria and you have handling procedures. The handling procedures these develop are specific for each classification level. So let's go with the secret the secret. You cannot share this with anybody who is not a secret or above. So that would be a handling procedure. You say, if it is top secret, you cannot print this document at all. No printing. Or if it is printed and it needs to be carried across town, then it needs to be put in a briefcase that's triple locked and glued to your hand. That would be the handling procedures. You need to have that specifically defined for your organization. Now this again includes storage, access, transmission and the destruction guidelines. That's a key factor destruction guidelines. You need to define that early, because when you have problems, and then you have all of this classified information just sitting around. So that would be Top Secret【Gundeidel Trump and Mar Del Margo right, you have a whole bunch of boxes of classified information sitting in your bathroom. You have to have a destruction plan for this information, and so, therefore, you need to have handling procedures. The next thing is security, education, training and awareness, also called SETA or CETA I don't know the actual term. You can determine where you're at on the globe and find out what that means to you, but it's security, education, training and awareness, and so, from a phonetic alphabet which I did from the flying days, you have a Sierra, echo, tango and alpha. Okay, took me a second to remember that. So, when you're dealing with SETA, you want to have there's three buckets there's a security awareness program, specialized training and then effective evaluation. So that's this is to part to have a good set of program, your security awareness programs. These are designed to enhance the overall security consciousness Among your employees, so it's ensure that your employees understand what's going on as it relates to security. I'll tell you right now. There's areas that each company can do better in this, and I am no Person that would. I don't know what I'm trying to say, but I got problems too. Okay, I don't do as good a job in this, in the security awareness programs, because I just don't have the time, but you need to make the time and I say that pointing fingers at myself, saying I need to make the time. This can include communication channels such as newsletters, workshops, online trainings, videos. That's, I think, area that I probably could do better in with my company. So, again, all those kinds of aspects can be available to your people. Then specialized training this training offers for specific roles, responsibilities, and it's designed for security personnel to be trained in relevant technologies, regulation and organizational practices. I have an employees that work for me both now and in the past, and you have very specialized Training that you provide them to ensure that they have the information they need to be effective in their role that is specific to security, and I'm sending them off to schools to learn this specific training, because I just can't teach it all to them and you know what they probably would learn better from somebody else. Effective evaluation is the other part of this. So part of set is that you need to have a program that can evaluate employee behavior and organizational security posture. This includes implementing feedback loops to continuously improve your overall set up initiatives. So, again, you need to have the program, you have training for your people and you need to evaluate how your overall people, everybody within your organization, is doing in regards to security. Okay, so we're gonna briefly touch on product or thing called security control frameworks and CISP cyber training. I've actually got some specific training focused on security control frameworks that you can watch and listen to, but one of the aspects is a control framework is a structured method for Managing security within your organization. So all it does is it gives you a roadmap and how to deploy security within your company. Now, there's various frameworks that are available and we're gonna go over just a few of them. Not we're not gonna go over all of them, but we're gonna go over the major ones that you'll see within most organizations out there. Okay, the first one is ISO, the international standards organization, and this is ISO 27,000 one. This is one that I use as a multi, as a multinational, just because it's it's a multinational or it's a global standard. It pulls in area different frameworks from around the globe, so I'll use that. If you go to a company, if you're US based, you may just use the NIST 853 standard, or this they call it, the cyber security framework. You may just use one of those. It just depends on your organization, right, and I, if you're listening to this and you're from the Netherlands, you may pick the ISO standard because your business does work with other people within their European Union. Or you may just go. You know what, if I'm in the Netherlands and all I ever deal with is Security for people in the Netherlands, you might even use the US based NIST 853 or cyber security framework. It really just depends it bottom line is they're all relatively the same. They all use the same type of format. The only differences are is that some of them have tighter controls and tighter reporting than others. So you just have to decide what is best for you and your organization. But we'll get into the ISO 2001. Now again, it's an international standard, and it's called an international standard for information security management systems, or ISMS, and the ultimate goal, though, is it provides you scope policy objectives. It gives you risk risk assessment and treatment, helps identify Areas that you may have, helps you identify the risks and then assess them, and then potentially put in mitigating compensation controls. For that. It also does ensure that you have continuous improvement through regular assessments. So those are some big factors. Some key components are scope, risk assessments and treatment, monitoring and improvement. Now you can get certified on the ISO 27001 standard. This is something that is also differentiates it from some of the other ones in the fact that if you are ISO certified, you now have proven to an external third party that you have these controls in place. So if you have these controls in place and you've certified to it now as a is another third party who's maybe gonna work with you? So, let's say, you have company, a company, a is. Well, let's just go, that's my company, right? If my company is ISO 27001 certified and I want to go work with a third party and that third party Whoever that is let's say it's GoDaddy or it's Dropbox or whomever they want to work with me and they want to ensure that I have security controls in place. Well, in today's world, this is getting extremely challenging because people are asking for us to validate security controls all the time. They ask me and my company company you know ACME company saying you need to validate that you have proper controls in place to ensure that Mike the company that's the third party is specifically has their information is properly protected. Well then, now I'm required to go and look at all these different controls and ensure that their data is protected. However, if I'm certified from ISO, all of those controls are already defined, they've already been evaluated, they've already been audited. I just give it back to this third party saying yes, my company is ISO 27001 certified, your data is in good hands. Okay, so that's the whole purpose of it and that's the. But it is expensive and you have to do it every year and it's very laborious and time consuming. But if your business deals a lot with outside entities, being ISO 27001 certified may be a good choice for you and your company. So then, you have missed the special publication 853. Another one that's a very similar to ISO 27001. It has what they call control families controls and then supplemental guidance. Now, this 853, from what I understand, was being superseded by the cybersecurity framework, but the overall concept is very, very much the same, and I believe they're like in version three at some point, something like that. The overall goal, though, is just that it provides you a guidance for you to be able to implement security controls within your organization, and these are baseline controls that provide a minimum security controls for the different categorizations within your company, and they do offer additional context around these controls. Now, so now what? Who are the type of people that can use the 853? Everybody should look at it. Everybody should use these frameworks. Now, if you're a seasoned crusty old fart like myself, you may say to yourself I understand all this, I don't need these frameworks, and you'd be partially right, because in many ways, these frameworks are. You've been doing it for years, so they're the same thing that you've been doing for years. However, looking at these frameworks and the changes that occur to them is an important part of your overall security strategy, because things change and you may also forget about a control that you need to put in place that you don't. So it's important, no matter what your expertise and experience level is, to verify and look over these various control frameworks to ensure that your organization is properly protected. Another framework is COVID. This is the control objectives for information related technologies. Again, this is another framework for governance and management, and this will align your IT goals with your business objectives for governance, management and assurance. Now COVID is another one that's out there. It's focused specifically around some IT and the information related technologies. It will. It's basically broken into three subsets. Like the CIA or the 853 was broken into three, covid is also broken into three. You have domains, you have processes and you have control objectives. Now the domains are organized in a way to for you to build, acquire and implement, deliver and support, monitor and evaluate. So you have build, acquire and implement, deliver and support, monitor and evaluate. Those are the domains that COVID is broken into. The processes will define the specific processes for each of those domains. Obviously, the build, acquire and implement, so on and so forth. And then there's the control objectives will outline what must be achieved. Again, it's very similar to your supplemental guidance and your baseline controls with 853. It provides what must be achieved in those spaces. Now, because it is more focused on IT, there'll be the controls will be more IT focused versus in the 853, they're a bit generalized, and I say a bit, not a lot, but they are. Another one is the controls, or the CIS controls. This is the Center for Internet Security in Critical Security Controls. Now, the purpose of this is their design, again, like everything else, to improve cybersecurity and they're designed to help bolster defenses by focusing on key specific controls. Now there's three buckets, just like the all the previous ones as well. You've got basic controls, foundational controls and then organizational controls. Now, your basic controls are fundamental controls like understanding your inventory, ensuring that you have proper controls in related to your hardware, software, your secure configurations, data protection. You have an inventory and you know what's everything that's in your environment. Then the foundational controls these are set on basics such as data recovery, secure configuration and data protection. And then your organizational controls are around incident response, training and awareness. Incident response obviously is a big thing. It's a close thing to my heart. You want to make sure that you develop an incident response process that is resilient. But that's all of that. That's where it'll be called out in the Center for Internet Security Control. Okay, but before we get into the next area around security control framework mapping, want to give a plug out there for CISSP cyber training and my cyber training blueprint that is available to you. You can go out to say you got this piece of cyber training. You can sign up and you can get access to my blueprint, which will walk you through, step by step, what you need to do to study for your CISSP exam. It's going to walk you through the book. It's going to walk you through the different training areas that I have and it will take you through this area in the fact of studying for your CISSP to help you become successful. That's one thing I struggled with with the CISSP is I didn't know what to do and I just jumped into the book and I didn't really understand what I was studying. I didn't have other types of data that was there for me to help me study, and what ended up happening is I failed it. So we want you to be successful when you study for the CISSP. So go check it out CISSP cyber trainingcom and you can check out my blueprint. All right, let's move on to secure control framework mapping. Now the purpose of this is around. Not everything is one for one. Now what it does is it serves a couple key purposes, and we're going to get into these various benefits as well. The purpose and benefits around security control mapping is it does help align with your organizational needs, so you may have an organization that has specific things that are part of the map. So we'll use the ISO 27001 as an example. You may have one area within there that is very important to your organization and protecting the information within it and you therefore will utilize it. But there might be areas that you don't need very much of, but you may need areas that are important within the HIPAA or the COVID area, and so you can map what you're currently doing to each of those various domains. It does allow you to be able to move between frameworks for your organization, to understand overlapping areas and reduce redundancy. So if the ISO 27001, if parts of it are really match up with your needs, that's great. But if there's parts of it that don't but yet COVID does, then you can then map to those same controls and the whole overall purpose of the mapping I mean really realistically is to help a third party audit you, but it's also to help you put it in a format that you understand so you can say to yourself and to your leaders how you are control, maintaining the controls on those various standards. It also does ensure you have compliance with various regulations that are out there. I see this time and again that one regulation will require a ISO standard, especially if you're a multinational. You may have the Chinese very want one, you may have EU want another, and if you can go ahead and map to those and what controls you currently have in place within your organization and they map to the Chinese cybersecurity framework or they chat. They map to the EU framework or the EU's request. You can now ensure that you have compliance with those regulations. Now there's some common mapping challenges that do occur, now that there's a differences in language and definition, right. So frameworks may use various terminologies, they also may use different languages, and you may have to ensure that you can meet between those various frameworks. They also have various variances in scope and depth. As an example is, iso 27001 will be very broad but not very deep, whereas COVID will be very deep in specific areas, but not to the same breadth as 27001. And then you have the complexity in your mapping process, which basically means you need to really truly have a good understanding of your controls so that you know what framework to use. If you don't know your controls and you don't know what's in place, a framework isn't really going to help you a whole lot. So you're going to need to really. If you don't know those, then I highly recommend you truly get in place and understand what controls you have in place and then, from there, start looking at the frameworks to see how your organization will map to it. Now there's different mapping methodologies these methodologies can be used for, and different approaches. You have a manual, you have an automated and you have third party. Manual mapping involves a human's judgment to identify what are the controls across these various frameworks. So you're basically going through line by line. So that's like studying for the LSAT or losing your mind studying for the CISSP. You have you will do this manually, and that is a long and laborious process. Take it from me it takes about a week and it's very painful. The automated tools these will help you map across these areas and more of a predefined rules and logic, and I've done that. That works really well. Now there is some interpretation in there, but now, instead of the interpretation being all of it, your interpretation is a much smaller subset. And then you can pay a gazillion dollars to third party services who will help you. So if you go to Deloitte and you say I have a very large bankroll and I want you to fix it for me, they will do that. They'd be happy to do that for you, but and it'll provide you a very beautiful, pretty product and it'll cost you at least $100,000. So you just have to decide which one do you want? Now, obviously there's companies out there that will do that for a much more inexpensive price, but bottom line is you will not get away with a CISSP membership price for your control framework. Just not going to happen, no, okay. So then, one last thing we're going to talk about is some examples around mapping. So just a couple of you can see. If you are able to watch this video, you'll be able to see what I'm talking about. But you map the NIST to ISO is one example. So you could take the NIST 853 and then you can set those to the corresponding controls of ISO. And that is very specific areas. You also can map HIPAA to COVID. This would support compliance with health insurance portability and accountability act and how the IT framework does support it. Because you may have situations because if you look at the HIPAA framework, it does talk about IT controls but it doesn't get into a really tight, granular level, whereas now you use COVID. You can take those controls that are defined in COVID and then over interject those within the HIPAA standard as well. So you'll be able to drive deeper on that. And then the last one is GDPR. With they have very specific control frameworks. You could tie those to either to your NIST or to your 27,000 one. So that GDPR, if you're not aware, is the General Data Protection Regulation and it does require various use of frameworks, not just, not just what, what they you're trying to accomplish, but it does require you to use the ISO 27,000 one framework. So you're going to have to map your current framework to the ISO 27,000 one. But and there's more that are coming out I just saw a new one that came out from the European Union this last week and it's not really new but it's new to me the NIST and I asked November India Sierra to, and it's another framework that you're going to have to follow and maintain and it's a regulation that will be out there. So you're going to if there's just more of these that are continuing to happen all the time more regulations that you're going to have to map various frameworks to. Okay, that's all I've got for today. I hope you guys have a wonderful week this week. I hope your studying is going well and that you are getting prepared and geared up for the CISSP. I know some folks at my membership have are getting ready to take the test here in September. So we're gearing up and excited for them as they get out ready to go pass the CISSP and get that certification complete. All right, have a wonderful day, everybody. We'll catch you on the flip side, see you.