RCR 037: Information and Asset Ownership - CISSP Study and Training!

Description:

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will talk about the following:

• CISSP / Cybersecurity Integration – Failed CISSP Exam
• CISSP Training – Information and Asset Ownership
• CISSP Exam Question – Sensitivity of the Data

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com - https://reducecyberrisk.com/

Facebook - https://www.facebook.com/CyberRiskReduced/

LINKS: 

• Tech Target - PII
  • https://searchfinancialsecurity.techtarget.com/definition/personally-identifiable-information

• HIPAAJournal.com
  
  • https://www.hipaajournal.com/what-is-protected-health-information/>

• BusinessDictionary.com
  • http://www.businessdictionary.com/definition/proprietary-data.html

• ISC2 - Information Security Certifications
  • https://www.isc2.org/Certifications/

TRANSCRIPT:

are you serious podcast 2019 episode 37 reduce cyber risk podcast where we provide you the training tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is informative podcast show me each week cuz I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam hey I'll get this Shawn girl with reduce cyber risk and we got a knife podcast setup for you today last is going to be focused on again we talked about last week we are making a small payment from what we've done in the past as a relates to cybersecurity and the focus is on the cissp and and how you can pass the cissp exam along with taking that information and making it into a utilizing it for the cybersecurity aspects for your career and for your business book about a couple things and we broke this down last time we sent into three areas first was going to be the cissp and cybersecurity integration the second one is going to be around cissp training specifically and the third is going to be around a cissp exam question or questions that will focus on how to answer it in their answering behind it with a clear explanation why I should say all right the first topic migration now this is a reference from secure a ninja and their article they had around was failing the cissp exam and what are some things you need to keep in mind if you do fail the exam and some aspects you need to keep keep considering their test format like we talked about in the initial Demand with the cissp that I've got provided there is a test format is set up out of 7700 Peter deppe the depth of testing you have the ability with this with taking the test to take specific brakes you can get up if you need to to get up and take a break and I talked about this in the article that you do have the time to do that you also have that the time has shortened a bit from the passionate 6 hours to take it and you have basically three hours at this point but with less questions so in the past you had you can answer with the cat this computer adaptive testing is focused on how you take the test so it if it waits the questions that your questions are real easy it'll give you more questions and then it just keeps cramping up if you passed a very hard difficult questions then it considers that you know the material and you could potentially be done in as small as 100 questions need to focus specifically on one question at a time because what will happen when taking this test at the first time I took it I failed it and it did not do well I don't know what the actual scores and they never did tell me what my actual score was the time when I took it was just a eeuu Paso you failed it and but when you focus on these this test and it's imperative that you kind of think about this as you go through in your thinking of all the different questions that you have to address take one at a time focus on the right answer and if you don't know the answer then what you do is narrow down the questions to that the least if you know for sure there's one of these questions are these answers are not correct at all then just throw those out of me like cross those out back to the matter is is that if you do that that'll help dramatically help you with a test as well I talked about when what are the six hours ambiano take a break take a break you have to write after Moana hours you just have to use the restroom get a stretch use you by your brain are out it took me about 4 hours to take my test that was something that I had to struggle with it it just took a while to do it but with 3 hours now you have less questions which is a good thing however you just need to be make sure you're on your A game now that the cat like I mentioned before their algorithm is based on for a difficulty of the question so if you do well and you able to take the test good and you haven't the situation where you can work through these questions pretty quick you could be done in as small as 100 questions depend on how well you are you also can be done in about 50 if you really aren't very good at it and you run the risk that you don't really understand the content if it picks that up that you don't know what you're talking about it could be done very very quickly and I know these tests are extremely expensive last time I checked so that's that's a huge issue now we're going to deal with the objectives that as well they have changed now I updated my cissp content that reduce ever risk to the most current April 2018 but other things that have changed their I'll go to the eight domains and tell you just kind of a little percentage in this comes from your ninja name of the Comet that security risk management Has Changed by a negative 1% asset security has no change at all security architecture down a negative percent 1% their security assessments and testing is been a plus change so you 1% so many questions have been added versus the other ones questions have been removed these security operations is 3% security assessment is 1% loser increases and then software development security has been no change at all now what the recommended readings they had insecure Ninja on the article was around GSM encryption the Advil at which encryption it's extremely important and then I'm not in this case you're dealing with mobile technology is very important that you understand the encryption around that agile software development I deal with this on a daily basis so you really need to understand agile dlss RPP the encryption for transport protocols threat modeling methodologies it's important that you understand the threat and how you model that threat for your organization and for the cissp and then alright let's roll into the cissp training domain to asset security and this is round information and asset ownership subjected you need to determine to maintain information and asset ownership as a relates the cissp keep in mind as you are working down this path data ownership will change over time and did ownerships an important aspect of anything that deals with information security it it helps to Define who actually physically so therefore what you're looking to protect it who has decision rights to Maine to ensure that the data is protected in the most correct inefficient matter in most cases i t does not own the data now people may think that and people might think that website your ID and you manage where the data goes in the systems of the data is housing that you probably own the data farther from the truth it really should come down to a specific owner and then typically it would not be it I would not recommend it especially if you're a larger organization just because you don't understand what are all the nuances around protecting that specific data so it will change over time and it should not own it unless it's absolutely necessary they may be responsible for protecting the data the IP owner the data owner may not know what to do to protect it but ideally they should not be the owner of it there may be regulatory requirements at 4 shahan. Gdpr Chinese satellite excetera where it may come down to put picking the owner is an IT organization so you just have to kind of way that out but those are things you should keep in mind as you're looking at determine the asset ownership what would it come down to what are you getting for buy some level compliance and so forth did the biggest thing the owner is responsible for the data unless he is formally delegated and this is where you have to talk to the owner get that get their understanding and they're buying that they are the owner of it and you just you have to do that they are responsible for the data and in many cases where the the CIO may actually be the owner of the data and the board may require him or expect him or her to be the owner of the data but the CEO may not know that night that person may delegate it to another individual within your organization but bottom line is there needs to be a notarized or data come back to the supervisor supervisor and say hey who is this person and they'll say Will Bill had that will Bill left seven months ago who has it now situation you're going to have to pick somebody who so it's just it's important to understand that and it does example I have is that you owe me three other New York City plant floor group if that's your active directory Global Group who is that person that is in that group that is the owner that defines it when your deal with active directory a person who specifically will own the data but you need to understand it was in active directory who is that specific person in the delegate that person to those right now it's the folder names you may have to the full names of all possible owners it could be a situation where like R&B group 3 is Bill Smith and then Bill Smith hopefully is not Billy Smith or cilantro Smith then he goes by Bill and abiram throw that's that's probably not a very good name play that's that's the situation around Bill and you may need to hunt that down and figure out who actually these people are I recommend you reach out to the business owners because they're the ones that would understand mostly who would potentially own this unless it's been in with it for many many years after it's been with it then you need to as a cissp you need to focus specifically on getting it away from it so that they do not have that do not have the decision rights to be the owner of the data Dallas Mavericks problems with no owner and some of the problems without having orders at the day not data may not be adequately protected that is a high likelihood that the data will not be adequately protected if there is no owner involved so basically your secret sauce the 11 herbs and spices that you make your company work may be shared on a network drive and being shared on this network drive they may have a situation where they're everybody and their dog has access to these things cause problems you need to also understand that without having data owners who do you contact in the event of a breach that who are the people that would be involved if their the data was leaked out to somebody else the impact of data loss is not totally fun fully understood if for some reason there is an issue where this thing happens the data may not be understood who actually owns it so then what ends up happening if there is a breach you don't even know what was lost what is capped or anything so it's very very hard to know hey this data XYZ was accessed on that this time did it leave okay I don't know is it is it worth anything I don't know so it's really hard to be in that boat you just definitely don't want to do that are you doing if you're the cissp in your the security person the question what have you been doing you know you can take drink in your your lattes and just chilling out on the beach somewhere or have you been putting things in place to actively protect this that's a real quick way for you to have a brown box and then somebody to escort you out of the building so that the key thing around us those you need to understand these aspects as special as you go data you need to know who is the owner how are they going to protect it if they're not going to protect it you how do you protect it but you need to understand who is this person and I get it comes back to the tragedy of the commons and what that basically means is that it's a area that everybody has or has some access to but nobody has any responsibility for kind of like your coffee shop for your coffee area everything your work where people go to the water cooler for people everybody goes to get their coffee there water whatever might be well the thing is everybody has access to it but nobody feels that they actually own it and since nobody actually owns it then they just turns into a mess right there just it's messy nobody cleans up after it and so forth that's a really good example of the tragedy of Commons you don't want that to happen to your data so it's important that you have a data owner what is a security person who study for cissp you are going to be responsible to ensure that the Aegis secure and now it's within my role that I do on a daily basis I am more I'm responsible for more and more information all the time and they consider me the subject matter expert well as a subject matter expert it's important I give them good guidance and if I don't see that things are being properly protected my responsibility to call that out and ensure that it is protected responsibility that again Security leaders must be engaged with the Business Leaders and then one in doubt you need to dry leadership as many will not make a decision especially it they will not make a decision you will have to help them make that decision that doesn't mean to be Draconian that means as a security professional you have to have influence and the only way you do employers is by educating and leading other people to this direction now you need to make sure that you do do care and due diligence with that data is imperative that you do this protecting the ID are the information that is under your care that's the last resort options as you're dealing with trying to figure out who owns the data need to use you can use a network logs to determine who has access and contact those people directly or you can have a third-party inventory Network and maps of the data flows is can be occurred by a third-party coming in there and they convinced basically sniff your network to figure out word of the day to go and then from that point you can take that information to kind of figure out who's the last person to access it was a glitch logical group tasks that's it and then say hey I need somebody to own this data they make a kind of freaked about to go how did you find out you know cuz it's people don't really understand how all the tools work and there's traffic that may cause a little bit of people you could turn off access and then Seafood screams and they will scream or not if you're not using data then maybe care as well but it needs to be a method of methyl mythology hating us third grade education comes back to bite me again basically you need to have a methodical approach and how you do this just don't go flip the switch and say I'm done now you need to make sure that you communicate communicate communicate with the people that they are getting the what you're doing and how you're taking care of their data you need to make sure that you have a methodical approach on how you take care alright so now let's roll into the cissp exam questions domain and the purpose of this one is as the questions give me when you look at sensitive data what items would be included as sensitive data it is a big Hot Topic as it relates to 6 cyber security and seltzer comes in the privacy of how do you ensure that the data is best protected and so the question comes the news when you look the sensitivity of the data what items will be included as sensitive data and there's these are four choices that would be available to you and you can come work through though to see if that would be the case with the first one is personally identifiable information otherwise known as pii the second one is protected health information or Phi and the third would be proprietary data this could be your date of almost any kind but proprietary data or the last option is all of the above all right so what do you think it is and then the drum roll is all right all the data mentioned above is considered sensitive data and in many cases if the date is posted on websites are there on the internet it is considered public domain but it's available to everyone and is not sensitive however it could be considered pii not I should say Phi non-sensitive or pii not sensitive and so therefore it if it's posted out there you still need to treat it as some level sensitivity that's that's an aspect to just because it's in the public domain play is basically any data that could potentially identify a specific individual and that's what it's designed around so it's personally identifiable information and then any date is considered for Deanna anonymizing Anonymous data so if you end up having a situation where like a gdpr you have a person and then GDP are considered identifiable information in many cases just eaten be IP address of a computer system so you need to understand that that date is considered to be sensitive and so therefore you may have to d-man to anonymize it this can be sensitive or nonsense if not sensitive pii is gathered from public records corporate Etc it still considered pii but it's not sensitive sensitive pii data when the Privacy is breached simply stating that this should be encrypted in transit and at rest so I can sensitive pii non-sensitive pii you need to understand those two differences as a release of the cissp Tazewell protected health information Phi this is a term given to Health Data created receive stored or transmitted and this is by hipaa-covered entities that may be dealing with sending this data to and fro and this could be is you knowing the HIPAA world you may have a doctor but then there's multiple third parties that are actually helping this doctor would be most likely fall under a hipaa-covered entity is sitting with Health Data all the business associates working in the healthcare world and you need to be aware if you're a cissp working for a company and they are dealing with Healthcare information you need to understand the rules and regulations around HIPAA and that the compliance requirements around HIPAA as well this is the United States electronic health information Lily Phi and this is around the same type of aspects of Phi this is now to focus specifically on the electronic form or versions of it it is not the the paper copies of it now is your deal of protected health information this really the kind of a break it down a little bit further this is past present or future physical mental health a mental health or conditions what does that mean it basically means that if you had anything in the past but you're going on now at were you may have some challenges in the future that data is protected under Phi especially as it relates to the individual and so therefore you must add proper proper that it is protected directions archers protective where is basically specifically to the individual themselves Sean Gerber his my medical information is falls under Phi and should be protected both my physical and my mental state which is hard to believe that X is quite unstable but my mental health as well now they also have your past present or future payments for the provision of healthcare so this even rolls into not just my medical record what have I bought do I have do I get medicine for the condition I have wear my eyeball goes left in my other eye ball goes right or I have my nose drips a lot and so therefore I have to have a special medication for nose drippage but bottom line is that all the payments that I make or you make for your health care is covered under the Phi aspects knots is transmitted by Electronic media maintain an electronic media or transmitted or maintained in another form or median that's all that data is protected falls under Phi and should be protected especially as a year of cyber security professional you're going to have to deal with physical security that will understand the physical aspects along with the electronic aspects the attitude of going well it's just physical that's there's somebody else that will take care of it no it'll be you you will be the subject matter expert to understand how do you best protect the physical paper vs. in and electronic versions as well Dodge dealer proprietary data this is internally generated data documents that you provide to create your 11 herbs and spices he's arteta contain the technical or other specific data that makes your company run and so therefore you must look at protecting it the best way you can get these are all important to do as it relates to proprietary did it's important you protect these things at the best of the most Optimum way you can Safeguard of the day to protect the Competitive Edge you may have a Competitive Edge in a certain area your margins maybe hiring a certain area and therefore this widget this process whatever it is makes you much more profitable will you need to protect that and if you protect that as what they considered proprietary data it's also protected under copyright patent or trade secret laws so these proprietary data is imperative that you you do those things so you're looking for the cissp questions all of those fall under sensitive data their variance various forms of it but they do have some level of of a sensitivity that you have to protect alright so here's the link that we have for the we went through today we buy c squared training study guide techtarget to talks about pii HIPAA Journal talks about the HIPAA Journal stuff and business directory gets into proprietary data finally the i c squared certifications are important I had that the secureninja link is also available as well on the site all right hope you had a great day hope you enjoy this podcast and we will catch you on the flip side see you look for joining me today on my podcast if you like what you heard please leave a review and iTunes is I would greatly appreciate your feedback also check out my cissp videos that are on YouTube just search for Sean as s h o n Gerber and you'll find content to help you pass the cissp exam last Sofia of free cissp materials available do all my emails once again for listening