RCR 040: Compliance Requirements (CISSP Domain 1)

Description:

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will talk about the following items that are included within Domain 1 (Security and Risk Management) of the CISSP Exam:

• CISSP / Cybersecurity Integration – HITECH
• CISSP Training –  Compliance Requirements
• CISSP Exam Question – Preventive Controls / CIA Triangle

BTW - Get access to all my CISSP Training Courses here at:  http://reducecyberrisk.com/cissp-training/

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

ReduceCyberRisk.com - https://reducecyberrisk.com/

Facebook - https://www.facebook.com/CyberRiskReduced/

LINKS: 

• ISC2 Training Study Guide
• • https://www.isc2.org/Training/Self-Study-Resources
• Quizlet
• • https://quizlet.com/87472460/official-isc-cissp-domain-1-security-and-risk-management-flash-cards/
• Tech Target
• • https://searchsecurity.techtarget.com/quiz/Cybersecurity-risk-management-CISSP-practice-exam
• Compliancy Group
• • https://compliancy-group.com/what-is-the-hitech-act/

• Wikipedia
• • https://en.wikipedia.org/wiki/Arms_Export_Control_Act
• Wiley
• • https://testbanks.wiley.com/WPDACE/Quiz>

TRANSCRIPT:

welcome to reduce Cyrus podcast June 17th 2019 episode 41 security and risk management action-packed informative podcast join me each week cuz I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam hey Alice Young cover from reduce cyber risk and I hope you're all having a wonderful day and this beautiful state of Kansas I'm having a great day it's 75° going to be gorgeous today I can be a little warm which is awesome sauce Scoville just a little bit on the cool side the evening which is even better and the mosquitoes haven't come out yet that are the size of bird I saw some small spiders running around which are quite large actually but yeah that's not bad my dog just eats those other than that life is good here in Kansas and we are going to be awesome things as a relates to cyber-security today on today's podcast but before we do want to talk to you for you specifically and this is cissp training that you can get through to me right now it's awesome you can just go to the site you to me and you can search for my name Sean. Gerber or you can click on the show notes and I've got such a great link to it on cissp training at reduce cyber risk and it will go take you specifically Dre straight to you to me and get some incredible cissp training that I have available for you and this is great stuff as you know what you do to me they give you some really good prices on this really can't beat it at all amazing just by going to you to me and getting those so again you can check those out at udemy.com or you can go click on my Link at reduce cyber risk and get that cissp training specifically for you alright cybersecurity integration I'm getting into a product called Hi-Tech okay that's a health insurance information piece of this and will can I go into that just a little bit cissp training is going around compliance requirements and then the cissp exam questions are going to be on preventive controls and the CIA triangle alright let's get going okay let's roll into this Lucifer Wikipedia and it talks about high-tech and high-tech is the health information technology for economic and clinical Health Act of 2009 say that 10 times and your brain will freeze and you're probably going what the Dickens is that well this funny falls into the compliance aspects that we're going to get into in Wikipedia had a really good product about this and put it out there obviously typed it into Wikipedia and went through the different aspects of high-tech and in high-tech is one of those things if you're doing the health insurance aspects and if you are studying for your cissp which I assume you probably are I understand a little bit more about these aspects cuz I honestly wasn't being a cissp myself you get very Niche too and to a certain area and so therefore you kind of forget or you don't really deal with these other aspects and this is just a really good way of for you to kind of understand to broaden your capabilities this was pert the anticipated the expansion of e protected health information which is the electronic Phi and I don't know if you all are in the United States around the globe as well I just got back from China and I noticed that everything they have is online and use WeChat for everything they use Ally pay for other aspects I mean they are totally connected in China and I think it was the same thing everybody's on their phone when they're walking around the streets so it's only going to be more and more of this well the United States electronic health records are actually all out there right now if I can go online I can look at all my kids and what they have online what what are some of different cases I have to go to the doctor with my authorizations all that stuff is done online and so this this was designed to help with that electronic capability that just kept coming up as they tell deal with this in this was passed by the Obama Administration back in 2009 what's the reduce the cost of healthcare sharing as they're putting stuff out and in so therefore it that's kind of why I came out was just to help reduce those its physical cost this isn't a design is that would be if your having data between hospitals and other entities that store your e-phi are your patient health information and that's the whole purpose of it so there's a lots of information that is passed back and forth between an entity that let's just say you have a company that is a third party to a hospital and these people work on MRIs will they have the ability to have some data of individuals that is passing back and forth when they wanted some level of privacy added to these and it expanded the scope of privacy and security protections for this date of that is moving around between these entities and it also increase the light legal liability if you don't protect it now one thing I've learned in corporate world is that you have lots of third-party vendors in these vendors will are basically the little fish that sit around the big whale and so therefore they are all servicing this big the big whale isn't it as intense as it possibly should be until therefore they induce a lot of issues to companies because of the simple fact is that they're tied in well now you add the complexity so you know Corporate America you have a vendor that takes care of you you have those requirements to make sure they protect your data but now you add that additional component of having PIR pho potentially being stored by these third parties within what ends up happening is now you just incurred greater risk by having these third parties involved with in the hospital so therefore this was to increase the legal liability of individuals who do not protect this information back in 2011 to 2015 to get people to migrate to this direction I know in China they move people to WeChat and I honestly I can't even use a corporate credit card in China anymore just because everything is on WeChat well in United States they've been trying to move them in that direction they didn't really say this is the way it's going to be and so therefore those incentives were set up until 2015 they were penalties out for not acting after 2015 so if for some reason you said you know what I'm not going to do it after 2015 then there were some penalties that you would had it be incurred for not doing that how many fields they're just not very effective and what they're doing and the one thing that high-tech had talked about the hitech Act was that if you have willful neglect and they have prosecuted some of these where you will be penalized and it but it is set up on a case-by-case basis the final range anywhere from 250,000 to 1.5 million depending upon how willfully neglectful you are so that's a lot of cash and you really not up really focus on this and if you're a cissp going to work there a health insurer or health company and you're dealing with high-tech you better understand how you're protecting these people's information because it again I come back to this if you're not being audited and penalize now it will be it's just a matter of time it's just a matter of time before there's a big breach or something large happens and then there will be a knee-jerk reaction to them enforce these audits if they're not already being done so the best thing to do is to work to strive to get towards compliance on these as best as you can just because the simple fact of it is is that you're going to have to deal with it at some point and it's only going to get worse as we get more and more cyber breaches that occur every career in the health industry or whether it's in manufacturing whatever it might be now that high-tech also had a brief note of breach notification and this breach notification is similar to others that you deal with pii disclosure the high-tech requires patience to be notified Annie's unsecured breach do you see this a lot in pretty much anything out there deals with these unsecured breaches about 500 plus patients then Health and Human Services must be notified of the situation I also want to include that you state privacy officer would need to be known as well so now you're not just involving the individuals that are involved the 500-plus people are h h h h h s Euro notifying the price State privacy officer is that state that they resided in now if you are a large the hospital there's a really good chance that you could have multiple States involved so then you got to deal with multiple lawsuits so the fine is just one aspect episode 250 Grand at 1.5 million is Define from HHS from Health and Human Services but now you deal with a lawsuit for loss of their Privacy Information other their data that that can go up and be Millions as well so it's really behooves you to pay attention to this stuff and strive to deal with trying to protect the data and I've also mentioned this before when it comes to these compliance aspects and again I am not a lawyer to do not take this as legal advice but one thing that I would say is if you do everything in your power to protect information and we all know that people's day it will still get briefed from time to time it still will happen but if you've done everything you can to protect your data and put it in in respect to what the is Define within the hitech ACT then you are in a much better more defensible position in the event of a breach still doesn't mean you're not going to find it still doesn't mean you're not going to get sued by customers however you're in a much more defensible position then if you just ate just keep moving on that is not a good place to be just keep that in your back pocket again not a lawyer not the one that can tell you what to do but it's just from what I've seen in this space in this world that doing those things and that due diligence goes a long way especially with court also talked about breech patients the class mailing and then it must basically reset resolution to the issue enema specify specifically what did you do to fix it are you putting them on some sort of the name of it we're dealing with the Identity Theft Protection those kind did you only with Daddy putting on people in there protecting their data through Experian one of those and then if you have possible credit monitoring services that you may offer to them all of those things are going to ask what did you do to resolve the challenge that would occur because of the breach that's all I got for the cybersecurity integration with move on to the training okay this is under the cissp domain 1 security and risk management topic on this one is determining compliance requirements all right as we all know compliance is a huge aspect as a relates to cybersecurity and the cissp so 1.3 of the cissp training manual that you'll get to rise c squared kind of talks a little bit about compliance requirements and some of the things need to be considering about that and one of the topics is determining compliance requirements so what's going to roll into a little bit about this and see what you what we can kind of dig into but isn't overview there's an active conforming or hearing to rules policies regulations dinners or requirements and it's basically you must comply with these things and I kind of talked about compliance well when you're dealing with these big sea compliance this means you must follow rules policies regulation standards or requirements and I deal with this on a daily basis if you're a cybersecurity professional this is something that is near and dear to your heart and you must deal with it all the time employees need to be trained on their responsibilities around comply with applicable laws and the regulations and you need to make sure that you teach people this the governance to understand these pieces an example you got pci-dss stupid training available require that you have to pci-dss and I've also got on reduce cyber-risk get some more train that's available for you on the PCI aspects that can I go to that specifically and some specific training around it but there's 12 Min requirements as a firewall configurations there's a you need to voice Bender Supply default password give me locations and we'll talk about it future podcast around some different kind of protocols in with encryption I restrict access on card at 2 people that need to know I'm not the guy you hired for the summer that's going to be surfing the web on the computer that holds all that information not a good idea and there's many many others obviously but bottom line is there some key things that you must maintain with your when you're trying to get pci-dss certified and so as a vendor who are as an individual who has a credit card at their location you're going to have to make sure that these things are set in place and there's different PCI criteria that are available for you that you do you need depending upon what your company does will have to follow but bottom line is is that you need to maintain these and so therefore as a cybersecurity professional you need to make sure you're in compliance with that specific regulation that rule now we're dealing with contractual legal in industrial standards this is kind of an objective that's on the side of the cissp and privacy and continue to grow as a Hot Topic within the United States and we see this all over the United States especially in the California and I'm seeing it Massachusetts but you're also seen it states that don't typically fall the California Massachusetts type of timeline where you go to the key drivers of the key was it many people used to guide their Direction around cybersecurity or actually around privacy and there's many other states now they're adopting this piece dressing as a digital age continues to grow and yet China use you and Isabel vary from country to Country and I've also known as like even within China the country may say one thing but even the provinces have different perspective of what the country is saying so you've got that Dynamic to deal with as well as privacy laws and there's a Fourth Amendment of the US Constitution in this kind of talks about this and this was again obviously Constitution was dude done in 1919 1770 prostitution was done up I get I asked you that I probably know probably somebody to let me know I know she was doing on 1786 and 22 is I think it was two years after it was actually ratified or actually sign or signed the e-sign it's alright it's quite early here in Kansas and so I'm half-asleep is weird what is the right for the people to secure their persons are houses are papers and effects against unreasonable search and seizures and shall not be violated in this was designed in the United States around the king of the United Kingdom and England coming in there their soldiers undoing unlawful search and seizures and just basically just ransacking the place trying to find what they want and what they could about you and there should be no warrants shall issue but upon probable cause support by oath or affirmation in a particular describing the place to be searched and the persons and things to be seized bottom line is you can't go in United States I don't know how that is in the country of where you're listening to this but it do have something similar to that those US Constitution spells it out so you can pull that out when someone tries to do it changes to the amendment have include what we call wiretapping to include with with now it moved into the digital age is wiretapping has been around right after obviously in the early nineteen hundreds of when the that started all coming to be and these these laws are woefully inadequate in some cases they are actually getting better over time but I think that many cases of this just they've had to keep try to keep up with the digital transformation which is extremely hard and challenging the Privacy Act of 1974 the federal government this is where they deal with private information about individual citizens and it's get puts limits thank goodness on what the government can do now doesn't mean that they're actually following it you would love to say they are but there's lots of wiggle room in legal language and so therefore they do these things and this is also where the Patriot Act came into play and we'll talk about that later on but it allowed them to usurp some of these privacy laws that are in place and they had to go back and get resolor get it reaffirmed every year but that's one of the things that that's a whole different animal only applies to government agencies in this case here so when you're dealing with privacy is it comes down to is that the only government agencies will be able to limit that about individual citizens and what they can actually do now the exceptions are health and safety senses law enforcement court orders at National Archives and again those could be tweaked a bit to help you help the government get what they want but bottom line is those of the main exceptions to the Privacy Act of 1974 the ACT this is basically came out in 1986 which is kind of more my generation and the other just dated me I'm like really really old is basically it was too and it was designed to invade the Privacy Electronic Privacy of an individual's it's a crime to do that and so therefore they want to put this in place and it helped brought in the federal wiretap act that we've been put in place in the early fifties if they put that fifties or sixties place I'm probably wrong on that as well but it did prohibited the interception of electronic communication so I just couldn't go out and start sucking down information about you as it related to without proper warrants right and it's illegal to for mobile to tap into mobile phone conversation now that has changed a lot in this from an antenna on YouTube was just it was tied to a wire that's come a long way since then run out everybody has mobile phones and you still say I walking through India you know they got 1.4 billion people and everybody is on a phone everybody got their head down walking on a phone it just blows my mind and that's what that's kind of what cellular technology is done as it's helped expand these networks to places where typically phone coverage wasn't covered with you you didn't have phone coverage and now everybody does it's connected the world even more Communications assistance for law enforcement this actors in 1994 and it allows I just came into play where you could actually get into mobile conversations of the 1984 and hence that's why because now they went from bag phones to everybody has a cell phone electoral economic Espionage Act of 1996 this extends the definition of personal property into the electronic property so now you're getting your getting out of this whole physical data I have a check now for a bag I now have an electronic Apple pay account so it's going from personal property and electronic property are the health insurance portability hip-hop that was set up a 1996 this is privacy and security regulations incorporated into the law specifically set up as they were set up in that law and then then we get into high-tech what you talked about earlier and this is a health information technology for economic and clinical Health Act of 2009 privacy and security requirements as it relates what's in place on a deal with that the technology to e-phi is we had talked about before and the bottom line is it comes on a breach notification again over 500 individuals you have to notify HHS and then also the state privacy officers as well motorhome engines run this would be Copa and this is a relates to take care of kids online find privacy protection act of 1998 and this is basically online privacy for children and is the gramm-leach-bliley act of 1999 this is this is the financial restrictions between institutions and allow more communication between them I want to come back with Copa that's actually really good thing that they finally put in place for that and it helps at put a little the restrictions around what you can show children what you can't I would say that in some cases are kind of pushing the envelope on some of that little bit again that comes down to what some people believe but it's as it as data becomes more and more open and available you're really got to watch what's out there for these kids cuz some of the stuff is pretty that's not so good someone that was a result of love 9/11 that hit New York Trade Centers and took those out and I basically lost her blanket authority to monitor a person now it's set to expire 2018 Les is reviewed by Congress and it has been reviewed over the past year they have to reaffirm it or every two years and they have to reinstate this again I think at this point time it's interesting to see it's one of those things like taxes once you give what you set up a certain amount of taxes you pay taxes it's really hard to revoke those taxes in many cases that don't ever go away they always just stay there and you end up making more money to offset the cost of those taxes same thing comes into place around this with the Patriot Act they doesn't want to lose their control and so it'll be interesting to see what happens with it I think people are finally getting fed up with that guy is out of the day but at the end of the end of it what do you lose from the Privacy standpoint which is very different than some other countries don't necessarily care so much but I would say here in United States it's becoming a more more problems this with me I'm not a big fan of it I'm former military and I'm all for having the government have control in some cases to help protect the citizens but it needs to be structured in limited because at some point then it becomes ultimate power and that's just not a good thing so you got to watch that put checks and balances on that rights and Privacy Act FERPA this is for parents students with the rights with educational institutions so this is how you set this up with educational institutions that they mad manager rights of your students and then identity theft and assumption deterrence Act severe criminal penalties for identity theft so this kind of Falls in line with when you deal with identity theft if someone steals your stuff they get nail with multiple things are getting a love wiretap I'm getting the old male with money fraud with money laundering go get nailed with in this case your identity theft and this could be a $50,000 fine up to 15 years in prison term so there's a lot of things and get at it for doing his identity theft stuff that's why it again. The upside might be good you might think it is used for short-term cash and you can be enlarged for a while but the downside is you got to break big rocks into little rocks issues as it deals with identity theft and assumption deterrence okay that's all I have for the cissp training let's roll right into the exam questions alright these damn questions are over domain 1 art is a question trolls those items that she'll be considered as defense articles and defense services and control their Import and Export all right so what does that mean what basically means is that there are is true because there are controls in place the government can put in place that gives the president the ability to put in restrictions around what can and cannot be imported and exported of the Arms Control Act of 1976 does is this gives the president United States defense articles and defense services called into play is a cryptography could be potentially sent to United Kingdom and so who's the president United States can authorize that know that goes both ways right thing cover other countries do the same thing to the United States for import-export I know is Israel has a lot of stuff that they make specifically internally to them that they do export and sell but I know they keep back some of the things that are specifically to their country so those are aspects around it that you that you'll understand from the cissp question if the arms export Control Act of 1976 for anything that might be used from a defense standpoint for military purposes can be limited alright another question is vulnerabilities and risks that are evaluated based on their own threats against which of the following okay so we have a one or more of the CIA Triad triangle principles data usefulness Sea-Doo care ND extent of liability one more of the CIA Triad Brian's principles all right so when you're focusing on vulnerability and risk that are evaluated what do you do against them you focus them on the CIA which is confidentiality integrity and availability how do they affect each of those three that will then determine how do you want to deal with that specific threat so therefore when you're evaluating it you focus on the CIA triangle and it really isn't it comes back to that if you can focus on those three things how does it affect confidentiality Integrity of the data and how does it affect availability of the data those are all very important pieces that you need to keep all right that's all we have for today and I want to just pass on weekend one more plug for the reduced cyber-risk and my cissp training that you can get through you to me or you can go on to ever do cyberbass.com to the link will take you to you to me for that training again all domains domains one through eight is all available to you on the at through you to me and what I also do is I upload new content to that training to provide it to you will always have updated cissp training specifically for you and that udemy use you know they give you good pricing for that I mean honestly incredible pricing that give you a check it out or at take you directly to you to me and all the domains Isis training study guide Quizlet techtarget compliancy Group Wikipedia and Whiteley from spanks alright have a wonderful day and we will catch you on the flip side