RCR 024: Awareness Training (Part I) - CISSP Study and Training!

Description:

Shon Gerber from ShonGerber.com reveals to you the steps and the cybersecurity training you need to grow your Information Security career while protecting your business and reduce your company’s cyber risk. Shon utilizes his expansive knowledge while providing superior training from his years of cybersecurity experience.

In this episode, Shon will talk about recent security news: Big Trouble Down Under - Password Resets; Four signs you need a CISO; US Lawmakers looking at foreign VPN usage; PWC corporate director survey.  In addition, Shon will be providing Part I of his training Cyber Awareness Training and what you can do to implement within your organization.  Some of the content will include:  Methods to present training, content reviews, metrics, program evaluations, and the differences between security education, awareness and training...much, much more.  

As always, utilize Shon’s cybersecurity training to help fulfill your Continuing Education credits for your CISSP or other security certification.

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet? LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com - https://reducecyberrisk.com/

Facebook - https://www.facebook.com/CyberRiskRed...

Transcript:

reduce cyber risk podcast provide you the training and tools you need for your cybersecurity career hi my name is Sean and I'm your host of this action-packed informative podcast join me each week and I provide you the information you need to grow your cybersecurity knowledge while taking practical and actionable steps to protect your business from the evil hacker horn all right hey Allison Sean Gerber with cyber risk February 14th 2019 episode 24 today's topic on our podcast we got a lot of great stuff that's in the news especially as it relates to you dealing with cybersecurity as a professional and dealing with it if you are in the business sector along with some cyber security training that's around cyber awareness training part 2 or part do depends on where you're from one of them is going to be about creating the cybersecurity Dream Team and of Richard this is a comes out of dark reading in the pork purpose of it is that if you're a sister or a chief information security officer how should you create the quote-unquote Dream Team to make your security program as good as it possibly can be and so therefore they have some five wonderful tips that you can put in place to make that quota dream team again five tips on a blog post that it's great but there's lots of opportunities around that as well so there's some things we need to kind of cover to get you in the mood of things but the first thing that comes out of a cybersecurity teams typically come from your traditional it folks that's typically where they come from especially in the past they've been and IT person is maybe being a part of your server Team part of your infrastructure team and they end up becoming part of the cybersecurity path for your organization ocean well there's some key things that Cicero's our chief information security officers should consider as they are looking at building out this dream team and the reason it worked fine the pathway there was the threats were much the scope was pretty limited to a Datacenter and that what they didn't have the complexities that we have today will because of that and all the different changes that are occurring these are the things that you have to be aware of especially as a chief information security officer we're going to talk about the five Talent the five things you need to do to be a successful siso and build out this dream team for your organization the first one is to take Talent inventory wall what does that mean who do you have to that can that has any capability within your organization that you can groom to be a security professional within your company and basically just need to understand what are their capabilities now as we talked about it from a security standpoint you're going to find out more and more especially that deals with your cissp or any other security security certifications you may take the certification is great and that's great book knowledge but the practical sense of it it takes a little bit more than just understanding the little ones and zeros that go along with it and so you need to understand the interpersonal skills that go along with having individuals working for you in the cybersecurity space people that can actually talk to senior leader you have people that can utilize lingo that is not real cyber Savvy and so those are things you're going to have to understand it when you look at your overall Talent now if you're not going to hire from the outside you need to decide well okay then can I groom groom them from a up internally number to hire top talent or Outsource top talent this number one so if you don't feel like your Stables very flush and maybe you have instead of some Thoroughbred you got a few donkeys which isn't bad that do donkeys can become thoroughbreds maybe not but a little pixie dust but that the point of it is is that you need to look at what is your talent and if you don't have it you need to go higher it now I say this you need to consider yourself it depending on what the risk tolerance is for your company what are you going to do now there's a couple different options you can go out and do one is you can hire the talent so you go out and if you're looking for a top senior executive within your company just get ready to pay some big money potentially right you're looking on the upwards of I'm starting 250 with plus bonus typically they run about 250 with bonus I seen his highest 450 with bonus different options that will be available from buying the and then understand if you do hire so you may have them for two three years tops and then they will probably move on the other thing is outsourced the talent now you can get this from various Avenues but a virtual siso a virtual security officers a good way of doing it and you can do to get a virtual person lot of different ways security Architects are virtual and I was really surprised it virtual are at Architects are actually in summer case in some cases hard-to-fill than this Chief Information Security Officer mainly because they can provide you a bit more value and they're usually a little bit more reasonable in price but something to consider what that decide you want to Outsource it with him I need company by it and this comes into the board that come into the senior executive you need to have company buying on what you're trying to accomplish and this does include the board the board has to be involved with these decisions and what's going on and if they don't well then that would be bad and I did my podcast last week I talked about the board and how the board is important in this in a mini companies they don't really understand board isn't that involve they they end up having more more issues 95% of security issues is human error and so therefore you've got to understand that if that's the case you board has to be involved what it's going to take from your company and how to manage that risk you also need to be proactive and prioritize accordingly you need to look at that from a standpoint of what is best for your organization and how do you deal with it honestly you need to understand and utilize new technologies artificial intelligence is an important factor machine learning but it isn't a Panacea so can you use that to augment what you currently have in place that's a very possibility right I am back to number for about being proactive you need to be practical is what is your wrist and what are you trying to accomplish and then prioritize them because we can't get them all done in a year so decide what is the biggest rocks that you want to start lifting now and the ones that you can make movement on and focus on those so between number one is take Talent inventory to is higher top talent 3 is by a company buying BB proactive and five is utilize new technology such as AI or whatever males baby out there for you all right so that is this building your cybersecurity dream team no DUI next news item is a BFE email service breach K it is Dead on Arrival they are toast basically what happened was somebody hacked into the DMV Fe and it's an email service that started back in 2001 and they hacked in and they basically there was no Ransom or anyting and they decided just pull out and drop little Molotov cocktails all over their servers not physically but they nuked it they basically turned around and they were formatting everything they deleted all their data and they got where they were actually in the process of formatting their backups servers when they got caught now they got caught but what does that mean so they basically destroyed everything for the company which if you're trying to be in business to make money that's not a good thing they said that the IP address came from Bulgaria so weather was Bulgaria where there's somebody else was using that IP address as a launching often targeting Point who knows the FBI will figure that out but bottom line is February 11th and then quote never going to get a little commentary around this most likely use a virtual machine this is from one of the individuals involved in this most likely use a virtual machine and multiple means of access into vfe email and then it was a bit more in there, Terry then the next thing is no method of protection such as two-factor authentication would have protected vfe email from the intrusion it's a pretty broad brush statement and multi-factor in of itself would have that protected the intrusion right but realistically is if you figure out you got a problem February 11th and your systems are getting nuked on February 11th that's not a good place to be so that we said they were in the environment for a for a. Of time now I say that because you know what working from the hacking standpoint that's exactly what we should do and people would even know we were there till after the fact so did they have all the mechanisms in place to protect you know that's where the finding will come out of it I don't think we'll ever know but we'll multi-factor help ya it would have helped would have stopped it hard to say but it would have helped and then what they're saying is that they probably didn't have it in place when they say no protection such as multi-factor would have done it felt something kind of interesting in that whole discussion around BFE email service it's pretty sad it's unfortunate that it happens and the sad part is is there was no ransom they just went and decided to start erasing things which is really kind of vindictive bad cyberscholar part-time steering uses a federal data privacy reform okay well what is this they said do you expect to see it this year in 2019 we got Chinese cyberlaw you got the several all that's not caring and other parts of Asia you got one in Spain pretty much all 50 states have some level of data breach what is the federal US federal government on the gdpr US federal government going to have a date of privacy reform I'm not released this year and we're going to talk about it with rosenzweig I had probably just butchered his name he's a senior fellow of cybersecurity National Security 1st Street Institute so he's got a big title he's probably got a crane in the size of a watermelon compared to my pee besides little brain and what he's saying is that going to happen probably the recent announcement that we had a like-new 700 million creds sound like 1 billion those all of those were or not enough right the one big thing he's talking about the reason that it's probably not happening that one is actually a couple different reasons but one of the main reasons is that technology literacy does that mean most people that provide some level of political aspects around what this whole Space do not totally understand technology and therefore they don't really understand what they're trying to sign up for or try to protect us from stop saying for a few years and I'm clueless on so much that goes on I have absolutely no idea and trying to understand it can be a bit of a challenge so that that's why you got to surround yourself with people that are way smarter than you are that's the one thing that I would say they're that he says they're having a challenge with this technology literacy now in the event of Sean Gerber who is reduce cyber risk I have a literacy problem in general. I can't speak the English language very well the gdpr is talked about in there where the they need something like gdpr in the fact that there was 59,000 notices just in 2018 when it was it came and active in May of last year mm breaches notices there was 91 finds that were that were paid out or that were paid or forced on so 91 out of 59,000 breach notices privacy is only 15% of concern of Voters and so therefore that is why he says most politicians don't want to mess with it is because they're so few people that are really concerned about it mean when you got Facebook when you get your Google's they really aren't that worried about privacy so that's the part about the federal data privacy reform ransomware attacks and nation-states one of the things that came out from Kevin Townsend security week and he mentioned that they're seeing now that nation-states are getting more involved potentially with ransomware attacks well why is that it always comes down to one thing show me the money when it came to Ransom where's that Ransom where is extremely lucrative and the margins are very very high and how is that the case well recorded future which is an intelligence-gathering company they in the stats on my slides you can be the sea at reduce cyber-risk where you can see them in other locations 2017 there was 635 ransomware attacks in 2018 leaving now these are reported there were 1105 but since January the end of January is another month another 360 I can't do math in public 58 right two instances just in January of 2018 or 2019 and what they're saying is that people are migrating away these attackers are migrating away from individuals and going to businesses they're focusing on the business and how to hack the business and how to get start the business for money Grand Ag and crab I don't know who it's Unique I don't understand what why or what but it's ya so there was three hundred million dollars where's my mind that's why I'm saying the margins are high just in a few months of when the grand somewhere gandcrab came out and hit the market and this is also bit bit torrent know it's it's in the article who actually has it locker but bottom line is there is a there is the the key to be able to get to unlock your systems and they have the a vape company has this ability to do it the interesting part those in in just a few months this thing is is Garner / 300 million dollars in Ransom now million dollars in the past few months so I don't know how long how much developers cost I have an idea right they're not that expensive they are expensive but they're not that expensive United States developers about 170 an hour in other parts of the world it's goes from 5245 bottom line is is that the margins really really good what they're expecting is is North Korea is using it to generate funds and as a precursor to an attack tool somewhere they can use it as a dry run on making an attack and so therefore that's why they think that these are happening one to create cash and 2 as a testbed use the world as your test bed for a cybersecurity event they they do believe that this all came from Wanna Cry as well in the Lazarus group so the bottom line is that the Koreans are doing it they're not real sure yet if the Iranians are doing it but they feel very calm Play No but basically sit without a shadow of a doubt that wannacry is comes from the Koreans you came again from recorded future and what their findings are about ransomware is it that many people believe the ransomware piece is dwindling right well from a consumer standpoint it might be getting less however ransomware attacks on businesses is going up and it's obvious because there's just lots of money the other thing I'll say for most cases in businesses guess what they got old stuff and their old stuff isn't always passed as well as it possibly should so therefore they are a prime target for ransomware type attacks aren't you the references that you can find lb on reduce cyber risk and then also you said security week week dark reading and The Hacker News and finally security Ledger alright let's move on or training cyber awareness training part 2 or part if your French is I took French in college and it's all I know is do and we I think that's about it right cyber awareness training part 2 this is part of our cissp supplement training that's available you can get at a reduced cyber-risk. Com and it's a great stuff without their we put this in regards to our cissp training that I have available for individuals but even if you're not taking the cissp this training is extremely valuable for you if you have any level of responsibility for cyber security within your organization so I can move on Cyber awareness training part 2 now we talked about in the first part 1 how do you talk to people and there's that one-on-one discussions you get webinars and so forth will here's a face trying to get into this is this is face-to-face discussions with people and it comes down to how do you do that well you can do that a couple different ways one you can have lunch and learns and place you can set those up you can actually meet with individuals individually at what I'd recommend you try to look at some sort of lunch-and-learns a really good way of doing that and that way you can get a group together you do it maybe once a month and you do some level of cyber awareness training for people who want to attend it does take a lot of coordination and makes a lot of takes a lot of time to do these things however it's a great way to get you one to build a rapport with people and to help people out are you can also do that when you roll out some training within your environment if you have some level of training around maybe password fault example is that you may say instead of having your people store their passwords on a Excel spreadsheet you do a open up a password Vault for people and give them the training run how to do that a good face-to-face discussion and watch learns are real helpful in that regard and that's actually something I want to try to do want to try want to do at the end of 2019 there's online options that are available in webinars and you can go to those and set those up those are easy peasy if you if you have your own business you can focus on products their leadpages and so forth that have that are available for you but there's lots of online options to have set up webinars and so they just need to find them if they're if you can utilize a free option the free options aren't Taylor as much and you may lose some potential information may be lost at but bottom line is it allows you to provide some level of training the other thing about this is that it does provide a some some regulatory requirement check box that you may have to go through so it would I say with that is that in many cases if you are a cybersecurity professional and you have some regulatory requirements around it this will help fill that security awareness training that you may need a consultation process as well are they provide a wealth of experience and and they can give you that information that you may need you can go ahead and contract then we can find him on udemy or I should say well so there are paid consultant out there that could provide you the level of expertise and experience that you may want in a specific 101 discussion with your people so the consultations way to have that happen but they can be kind of expensive depending upon your need in your desires anywhere from 300 or 350 an hour is what I would expect for an individual worth their salt now you can get somebody cheaper than that maybe fifty bucks to a hundred bucks an hour if you just want basic security awareness training you can get them cheaper than that she's got to look at what is the best solution for your company the high-end the 3 to 3:50 that that is for a chicken from a security officer but based on who you're talking to you may if you want some education specifically to your board you may want someone with I say this Loosely because I definitely don't follow this boat but you may want some with a little more polish to help you out in that regard so something just consider if you're looking at a security consultant these are great for one too many one few one too many and some respects way more than one on one they are usually in the more intimate setting such as like after lunch that kind of thing and tenant attendants can be small to very sporadic so I would recommend that if you do utilize this you look at a way to be able to get people to commit to coming to lunch and learn why I just helped plan for your numbers and it helps to kind of gauge what what kind of one-on-one conversations you're going to have now it can be hard to plan this engagement so you need to make sure that you give yourself enough time for it as well pamphlets and other geedunk I like to call him these are Pros to this their constituents another Pros around the brochures in the pamphlet in the geedunk military term used to use a lot because he dumped stuff to give giveaway military probably something else but hey the military just adopted it it's usually a tactile response which basically means to give you something in your hand your greedy Little Mix get something to be put in there at that helps fulfill that need that they may have that's that usually good people some people like to have something in their hands that helps them kind of learned better and so this can be to be USB USB sticks CDs could be a pamphlet just a piece of paper but something that they would actually physically have other incentives can put in centers around finding the USB stick so you play like Easter eggs and you drop these USB sticks around your campus around your facility and if people report them to you they get you think it to keep the USB stick you wipe it and give it to them there's other USB sticks that are there that have like in typically what they'll happen is you'll leave these around they'll have a little program in them that we'll call home and it'll say why you can't use this as part of a security awareness training to unlock it take it to your security people like that people don't train people to go hey USB stick in the purpose behind that is to teach them that if you get it find a USB stick sitting on the ground don't plug it in your computer right that's just a really good example or somebody can say oh I plugged it in and I did that all the time and people would say, their computers and then I would take over their computer that's just bad so don't do that is also additional resources for learning that you can find available that's within brochures I know Santa's got some for people to use and but again many companies out there some of them can be very expensive some can be very inexpensive just depends what the quality of Muhammad Ali you want the cons of these are good production and a good Productions are expensive bottom line is that if you want something really good with a high clot High glossy paper that's a really good card cardstock they're expensive are not cheap in a mini cases at lots and lots of waste those people will look at this product don't they call this is awesome I love it and I'll throw it away so you just the marginal benefit really is kind of negligible around the the products I will say USB sticks do work well that isn't expensive option though cuz each of those sticks will end up costing probably about five bucks a piece depending on where you get them from but that that can work options of professional brochures and pamphlets you can make your own might be sulfur than actually buying them from someplace else USB DVD giveaways talked about that DVDs not so much anymore that's most people don't even really use those at that much but that's a possibility I don't want to think about is a fortune cookie I've seen this where people will have a fortune cookie and actually get something they can munch on an inside there is actually a little little piece of paper that says security is your friend or something like that so the goal is to drive drive home some level of information security awareness bottom line when it comes to brochures and have you I'm not a huge fan I really not but it depends on the marketing and the support if you do have a good marketing team or you maybe you can do the stuff in the house you could save yourself some money and it is another Avenue that works well that's just my personal opinion I have seen, limited results out of it other than the USB sticks has been very successful in driving home some awareness but it can get kind of expensive content reviews not important accomplish these at least every couple years to make sure that your content is fresh know this could change your threats will change on a daily I mean on a weakling sometimes daily basis but why are frogs you can we see a lot of those were social engineering occurs when people are trying to get in the middle of a wire transfer and so these wire frauds are in new technique ransomware is another new technique that you're seeing out there in a routine basis well as all of these things are new but in the past that used to be where it was USB drives or CDs all of the stuff is changing so you need to update your content at least about once every two years and it keeps the information fresh and relevant for users the population also has become better connected with the threat in the past it was like yeah ho-hum ho-hum it's not that big of a deal I don't understand it it's too complex but now that everybody is connected people understand the vernacular they understand the lingo for the most part and so therefore it's important that you set up to get it abbreviated every couple years or content review to a couple years consider what are your metrics in your measures based on your tools your click rate your the on your fishing attacks all of that stuff you need to make sure that you determine the effectiveness of it and this also provides leadership a snapshot into the organization as well and it determines if the actual awareness affected our training is effective so you really need to look at these different types of metrics because in some cases I've seen flick rights that go down and all the sudden they spiked up and you ask yourself why are they spiked up this last go-around well if you look at it you're maybe your phishing attack was much more complex and it was harder to four people to go through it or you may believe it teaches you a training Gap that you may have right now in place you need to address so there's a different things that you need to look at it around metrics different buckets around teaching and training employees your family and so forth. What are you talking about teaching and training employees what are you trying to teach and train your employees well are you trying to do the whack-a-mole approach for having users as part of the solution right so what I mean by that is that if you just go if you go do a whack-a-mole or Billy Bob goes and does something you teach that individual that's not good or do you going out and teach your individual users and embed them into your training as they are part of the solution and not the problem I've got too many conversations in a record with leadership and they go we are these people that always click on the links I just they're not that you're not that smart right somebody made that comment was it that was interesting the problem is though it may be there one that talk correctly to maybe the language isn't in a term that they understand and maybe they just need a little one-on-one coaching and I don't mean it in a bad way I mean in a way that will help them better understand the content how fast do your employees report a problem do they I like to use the employees as a sensor and what I mean by that is is your employees are the ones that are working on a daily basis and they know what's going on what train them to be the sensor if something doesn't seem right have until you haven't get ahold of you and I could be just a fishing Expedition there might not be anything there but at the end of the day would you rather have that or would you rather have something in your environment for a long. Of time at sucking all your data back and you could have done something about it so train them to alert you on things losing their jobs they're not going to alert you on stuff they're just going to say they're going to avoid the security person call cost so don't you want to avoid the whole losing your job thing now that doesn't mean that you can't build that into some sort of expectations around the job of going you know if you can't see a threat you were to say something and then this person constantly clicks on links and is continuously getting infected well then that's a different conversation but most people don't do that they really don't employees are your biggest liability and your most important asset so again they will be the first line of defense or they will let that they'll open the door wide open and let people in didn't that you train your employees talk about cyber for families 1 I need to consider for your organization and if you see me moving a bits because my dog is with me and he likes to be rubbed but Dad so cyber for families that the thing I want you to consider around this is teaching your employees to teach their family the thing is that these people go home and if you can teach your employees that how they need to protect them their families that's a huge win it is a big win for you so you need to train them to protect what is important to them. Because realistically your company isn't that they provide a paycheck to them but at the end of the day that is not as important to them as our families so I just a quote that I like to throw out there at whether or not it's relevant here or not but I can throw it out how much you care and is true and it's all the versions of that but it's bottom line is that people don't care about what you know they care about if you care about them so it's important for you to provide some level of training eat if it's just a little e-brochure brochure that they can download and talk to their kids about provide family-based training around password vaults credit freezes social network training and social engineering training of these topics can be huge wins for you and your security program if you can provide these and they don't have to be complex basic things again three bullets is really what people operate on a lot is that if you can have three main points up to something no more than 5 people will pay attention to it and if you provide it but 1% is better than no percent right that's that's good English there no percent are schools getting back to the community now if you as a security professional probably listening to this you can provide this back to the school to schools are there they're looking for this kind of information it is basically go to your school provide training courses for your school on how on cybersecurity and you can put on a webinars you can talk to parents I'm done but all of those things they're really good things to help your communities and to help build camaraderie with the around the families the community cyber-security they don't usually get it that's what you need to do to help build your brand education for kids that provides knowledge for the next generation of cybersecurity professionals I highly recommend if you can do something like that it's really cool the challenge of run into is that they want to put together a whole program and then they watch to teach it I got a full-time job I can't teach it but you can't put together stuff for the teachers and then provide some training for the teacher so the teachers to actually educate the kids on that's a really good resource and I highly recommend you with all these cybersecurity people that are needed people are learning well if you're learning why not use that learning that you're you're you're garnering okay big word and turn around and be able to teach other people cuz I'll tell you this you don't know the information to you start teaching that's when you really know it and then or you highlight the fact that you really don't know it and then you go I don't know what the heck he's talking about but I do know it I will baffle you with something yes you also count for CPE credits if you are working on your cissp or on any other security program you will do this and you can create cper continuing professional education credits I see squares got this as well the cissp are they actually have a cycle safe and secure online. Org that's a great place for you to be able to go and talks about what kind of products you can give to students and the schools so really cool really good idea I said before I'm done it numerous times a great way to help people and when it comes to cyber stuff they don't know it and anybody who has that that Mantra and has capability there got that just wanted they want that information so it's it's important to do especially if you're security person to give back to the community and it's a good way you can do that alright so here's the references from both use the is c squared cissp training manual cuz some of the content if it was in here was directly out of my cissp course but also some other stuff that I put in three years of experience and and also safe and secure online. Org all right great references and great books and great content in that if you go to IFC Square. Org again this is the ongoing stuff that I have available as a cissp supplement training it's available for people who subscribed to reduce cyber risk I said go on there and sign up you can get on my email list and by doing so you will get access to some of the free concert they have but also the bonus content that I've only provide provide for people that are on my email distribution list and it's it's awesome stuff and a lot of stuff that it may come available for the General Public but if you're on my distribution list you'll get access to all of my supplemental stuff not just the stuff that's on my website so will give you access to everything so go to reduce cyber risk you can put those are multiple areas you can sign up for that you can get access to my email list and then sign up and get on the distribution list all right I hope you guys enjoy and I hope you enjoy the training have a great day catch you on the flip sides and I see new project triathlon working folder when I get done 2.2 down lawn oh shoot connect udall 2.2 how I was doing tonight at 2 is it to I don't want to do that too oops at 3 alright let's do this this that shoot Cooper okay so I got to save same the same as welcome to Ries cyber-risk cissp training this is protect privacy domain 2 Section 3 it is Section 3 the different objectives around Sr data owners data processors remanence and collection patience part of cissp section 2 alright this objective about data owners keep in mind around data owners is this person is Ultimate possible within an organization for the specific data when it comes to the day that's whether it's on a server whether it's on a email exchange system whatever it might be that person is responsible party for the information for the data atypically can be to go simple as that they the owner is being on a simple system or I can go as high up as a CEO president of a department head of whoever but the bottom line is somebody has to be the actual owner of the data now it could be where it is the CEO of your large company the CEO maybe that person but when it comes down to delegating rights that CEOs probably the ones going to be delegated in probably not too tied into the day-to-day operations I have a data owner and different data requires different data owners and it may not be just one exact person it could be somebody that was the day the owner the delegated that responsibility to someone else and so you need to kind of keep that in the back of your mind as you're looking for managing your data and who would that person potentially be could be our R&D lead it could be even just the the developer that is putting together that application that has data on it so you just need to be cognizant of that point one thing all that comes into play especially as your data becomes more and more more prevalent and you maybe have a large organization and your security professional one thing to consider is that this person may be liable for negligence if they failed a basically perform to protect the data that this can happen in multiple ways so let's say for instance and you responsibility you are the owner of the data but you didn't put Protections in place and the data got out will you could be held liable by your company that you lost this information before you be fired then probably be sued let's just say for example you are a CIO of a company and you are the day they consider you the data owner for whatever reason and you have a breach it's a medical breach while you could be held liable for that as a security professional guess what they're holding security officers liable and in many cases for breaches that's the new trend that's on the on the horizon we need to be aware of that and it's it comes right down to the person that's enforcing policies within your organization you could be the person that has an ultimately reliable for the situations alfredito are there different guidance available to you nist 800-18 is a really good place to start as a relates to developing security plans for your organization and it's designed for the federal information systems but it's a really good place to start now appears small business or maybe a small company and you really don't have much will this is a good place to begin it'll be stuff in here that won't pertain to you but at least it'll give you a guidepost of where you should go if you are a security professional for medium-sized company again another good place to start a lot of times we don't know where to even begin especially the Security Professionals because things are changing so quickly and so therefore these are really good things to use as a way for you to just to begin the process of understanding how to to protect your company and to protect your business there's rules for appropriate use on how the day the owner should handle the data again this is based on the governmental aspects so there are some regulations and rules around that that may not apply but it going to give you the guidelines what helps you decide Privileges and access rights around an individual who should have access who shouldn't have access why should you think this way so it's a really good way to help you can move you in that path gozen acceptable use and rules behaviors so if you have an exempt acceptable use policy kind of walk you through how to deal with that as well nyasa toner or business owner this this person here is to develop a security plans in coordination with the data owner acid or so let's say the data owner owns the overall data within the company asset that holds the data specifically product or program that person that must work in conjunction with the ass autonomous working conduction with a data order to ensure that is properly protected is going to specific access access sensitive data system is updated and properly configured owners responsible for it so patching up whatever that might be a situation a while back and it was an application that have very sensitive data in it while this application I hadn't been updated in a while and this is back in a previous life and so we ended up talking to the date of the asset owner and the acid owner never realized that this that need to occur well that comes out of the education piece of is now the acid toner could be somebody within it it could be somebody was in the business as well but you need to understand that and they need understand who is responsible for the individual piece of equipment or dang it babies cheney responsible for the individual piece of equipment additional Martin example be the digital marketing team websites Papi at the back-end database the business owner manages but is not the data owner to the business owner manages the actual database but they don't actually physically on the data itself so those are things to keep in consideration School New data processors the context is everything as it relates to processing your data and there's the key piece around this really comes into play around gdpr gdpr to find a data processor as a natural or legal Person Public Authority agency or other body which process is personal data solely on behalf of the other of the other data controller so basically act as an intermediary a proxies would say we got here is a data controller collect personal data on employees for finance and passes that information on to a data processor or third I've seen this in finance where the finest individual will be at someone will be doing your financial go to a third party and that is considered a data processor they have to be certified in this case or they have to have some sort of regulatory requirements around them to ensure that they properly protect this data the state information on this information so data processors again that's it relates to processing system data as well so that makes some sense aspects is we're dealing with data processing and Anna comes up with gdpr they must comply with the gdpr requirements or face fines. This is a 4% fine if you don't do it right when I got down here on my own the screen you can see billion dollar US company now to put in perspective you're a company that makes about a billion dollars a year that's a the low end of a large company's between it's a high-end of a medium and low in the large about a billion dollars in Revenue that's Revenue that's not profit that's Revenue so of that at 4% fine on a billion dollars 1 billion dollars is 40 million dollars that's a $40 fine for not protecting people's information so you can see at the huge deal and so therefore it's imperative that you have person that can help you with gdpr compliance again security guy I know it I can understand it from a security standpoint but if you need to get compliant with gdpr I highly recommend you find somebody or that you can trust to help you with that lawyers are good at it there's something compliance people that are very good at it again as a security person surround yourself with people that are smarter than you are and is a sooner you realize that most people are smarter than you better off you'll be new privacy Shield that was previously Safe Harbor and around that is that organ organizations can self-certify saying that they meet or comply with the Privacy Shield principles that has occurred a few years back right before gdpr came into effect and gdpr was in May of 2018. My initial understanding of that back in 2011 how the Privacy shield and save Harper work and it's basically you self-report and say that you're doing the right things they hold the right to be a lot of Unity Point but bottom lines up to use self-reporting sorry when you have breech requirements at Fallen to play now you need to make sure that you can play is the gdpr requirements because if you don't and you don't report a breach in the timeline prescribed through that regulation that can get expensive a16 princess principal total within the us privacy shield and you need to basically Nevada uphold at least seven of the 18 principle gdpr terms suit abandon is an invisible seasonal synonyms Paisley comes out to his Bill Smith is patient 1 2 3 4 5 and is very popular when working to obfuscate as you're looking at Bill Smith inpatient 1 2 3 4 5 not anonymization is a process of removing all relevant data about the person identity okay so in this case would be example of masking it not amazing the data also in this case would be like a SQL table you would have Bill Smith has one two three four five six seven eight nine that's their social security number and then you have Jennifer Smith 9 8 7 6 5 4 3 2 1 the logic-based understands how to reconnect it. But it's really hard to do so it's something to consider as you are looking to put the stuff out there I need to consider is it something that you it's possible to put all the stuff back together but it's really hard to do that all at one time no luck cuz I could swore I know I did these I did them they're all done another. so stop this ksnt identities