Get ready to fortify your cybersecurity knowledge base, as I, Sean Gerber, guide you through the labyrinth of security policies and the pivotal Business Impact Analysis (BIA). Our latest CISSP Cyber Training Podcast episode is a treasure trove of insights, where we unravel how security policies aren't just documentation—they're the shields guarding your organization's data. With the revolution of AI, crafting these crucial policies has become more intuitive, ensuring that roles, responsibilities, and data protection measures are crystal clear to keep sensitive information under lock and key.
Venture beyond the basics as we scrutinize the meticulous process of creating security policies that stand as the vanguard against legal risks and define the line between acceptable and unacceptable behaviors. Discover the art of balancing specificity with flexibility in setting security standards and guidelines, maintaining high-quality protection while adapting to the evolving landscape of IT. This episode isn't just about setting rules; it's about building a resilient fortress through Business Continuity Planning, with BIA as your strategist to quantify risks and prep your business to withstand the unexpected.
Aspiring CISSP candidates, this is your beacon in the night. Take a comprehensive journey with us as we lay out a roadmap of resources designed to navigate the complexities of the CISSP curriculum. From in-depth video lectures to tailored courseware, we're here to equip you with the armor and sword to conquer the CISSP exam. Step into the arena with confidence, knowing that you're part of the vanguard defending our digital world from the onslaught of cyber threats. Join us, and let's advance your cybersecurity expertise together.
Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
Get ready to fortify your cybersecurity knowledge base, as I, Sean Gerber, guide you through the labyrinth of security policies and the pivotal Business Impact Analysis (BIA). Our latest CISSP Cyber Training Podcast episode is a treasure trove of insights, where we unravel how security policies aren't just documentation—they're the shields guarding your organization's data. With the revolution of AI, crafting these crucial policies has become more intuitive, ensuring that roles, responsibilities, and data protection measures are crystal clear to keep sensitive information under lock and key.
Venture beyond the basics as we scrutinize the meticulous process of creating security policies that stand as the vanguard against legal risks and define the line between acceptable and unacceptable behaviors. Discover the art of balancing specificity with flexibility in setting security standards and guidelines, maintaining high-quality protection while adapting to the evolving landscape of IT. This episode isn't just about setting rules; it's about building a resilient fortress through Business Continuity Planning, with BIA as your strategist to quantify risks and prep your business to withstand the unexpected.
Aspiring CISSP candidates, this is your beacon in the night. Take a comprehensive journey with us as we lay out a roadmap of resources designed to navigate the complexities of the CISSP curriculum. From in-depth video lectures to tailored courseware, we're here to equip you with the armor and sword to conquer the CISSP exam. Step into the arena with confidence, knowing that you're part of the vanguard defending our digital world from the onslaught of cyber threats. Join us, and let's advance your cybersecurity expertise together.
Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free.
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey all Sean Gerber with CISSP Cyber Training and I hope you all are having a great week and a wonderful day today. Today is our podcast day. We're going to be talking about security policies and the BIA, or Business Impact Analysis basics. So that's what the plan is for today, just like we do every day or every podcast every week we have. This is we'll be talking about the overall information today and then there'll be some questions that will roll into what we talked about on Thursday. So you'll see those coming out, and the overall goal of that is to help you train you some information and then also provide you the information you need to pass the test. As it relates to the questions, all of these questions are available on CISSP Cyber Training. You can actually go to the site. You can see the questions that are there. All of that stuff is available. If you guys want to buy it Now, I will tell you that all of the comments that we have here, as far as the podcast goes, and the video, that's all going to be available for free for you on the website and you can just go to it and you can watch it at your leisure. So any of these podcasts, I record them all, so they're all on video format. Well, I shouldn't say all. In the beginning I didn't have many of them on video format, but times have changed a little bit so they're now slowly migrating to just video, but you'll have them on video. You can have them on audio. All of that stuff is available to you at CISSP Cyber Training. Also, if you ever need a security person for resources, you can come find me. I'm actually happy to help you in any way I possibly can. I've had multiple businesses reach out requesting security information and I'm here to help you. So the ultimate goal Last thing is, is that my podcast, the Reduce Cyber Risk Podcast, which was designed specifically for the CISSP questions, I'm going to spin that off.
Speaker 1:And what I'm going to spin off into is working specifically around critical infrastructure, industrial control systems and the protection of those, and I feel very passionate about the fact that we really need to work hard at protecting that information. So there'll be some stuff with business protection and then also a strong focus on industrial control protection. Okay, let's get started. So we're going to be getting into security policies, standards, baselines, guidelines, et cetera. Now, if many of you all may think and I when I first started, I thought, well, security policies and standards, baselines, guidelines oh my goodness, that's just like I want to do the fun stuff. I really don't want to do these policies, pieces of this, and I will tell you that I struggled a lot in that space just because I thought that it really wasn't necessary when I first started. But I will tell you, as a CISO and as working through security for over 20 plus years, the security policies are really a foundational piece of any security program that you have within your organization, so you really needed to work hard to define those.
Speaker 1:Now, the great part is is we now have chat GPT and chat GPT or any of the AI models that are out there. You can go pilot through Microsoft, whatever that might be. You can utilize these AI models, these language learning models, llms, to help you understand and build a security policy. That is actually way better than I would have ever written myself, and the goal is that you take the LLM, you create your security policy out of it and then from there you go in and you tweak it and you modify it specifically for your organization. But it's a really good tool and I highly recommend it. And it would take something that in most cases people don't put policies in place because they're laborious, they take time, they're boring, you got to think about them, then you type them and then they're wrong. It just causes a lot of churn. But now, with these LLMs, you don't have to do that. You can basically circumvent two or the three steps there where you can actually get a product and move with it very quickly. So, if you can't tell, I'm a big proponent of using the LLMs, especially for security policy, standards, baselines, etc. So now, a security policy.
Speaker 1:The definition of it is really it's how an organization will maintain the confidentiality, integrity and availability of the data. That's the CIA tryout that we talk about, and this really defines how you're going to do that. So often they are not done. So therefore that thought process is more or less left for people to kind of come up with their own, and so it's really good to define what that means to you and your organization. It does spell out the intentions and your expectations to both senior management, of the senior management, as well as to what you're expecting of your employees and what they're going to do. So, from senior management down to employees, what should you expect? Now? It also works really well when you have that policy to define with your third parties. Your third parties will ask you questions. You can now have this policy and you can present that to them specifically. So it works really well, especially in today's world where it's becoming very regulatory. You're going to need to define that, because these third parties, these different suppliers, are going to request this information for you as well. So it's a really good way to have that defined.
Speaker 1:What are your intentions and what are your expectations? As it relates to security and cyber security? Now, it doesn't provide low-level technical guidance, and that's understandable, but it does set the foundation for your security practices for your organization. So that's the ultimate goal of the security policy. Now we'll get into the technical pieces and what aspects are those in this overall conversation, but when it comes right down to the security policy, it is not for that. It is to give you the expectations of how your organization is going to handle security.
Speaker 1:Now, what are some of the important things regarding security policies? There are guiding technical controls. Now security policies can guide how you implement the technical controls you have in place. So, as you define your controls and you have well, I'm going to put in, I have certain admin rights that we're going to put in your policy can dictate what that will be. Now it may say that you may have a policy around password rotation. That would be defined. Now that wouldn't be technically how you're going to actually go out and do it, but it would be defined that you have a password policy. Do you have a administrative policy that your admins have to have a separate network account? All of those things can be defined within your security policy as you build it.
Speaker 1:Now you can get very specific with your policy or you can be a little bit more broad brush. I would recommend that you find a sweet spot between the two. You don't want to be so broad that it doesn't. It gets diluted and you really don't understand the expectations. But you don't want to be so technical that you're calling out very specific criteria, that, such as my password, must be eight characters and it must be rotated every 30 days. You might not necessarily want to call that out in your security policy, or you may, it just depends upon your company.
Speaker 1:But if you do, make sure that, if you anticipate any changes may happen in the future, you're going to have to go back into your security policy and make those changes, because the moment that you write it and then you implement things in place, and the moment you make a change you're now your security policy is no longer effective. It has gaps, and when it has gaps, people then tend to ignore it. But the goal is to articulate the organization security stance, leaving specifics of security to the overall IT teams and tell them what they need. The other thing around it is efficiency and enhancement. Well-designed security policies will enhance the efficiency of your organization, and it does and ensures everybody's on the same page and they have a reference they can go back to.
Speaker 1:If I have a security policy to find, my people can now go back to it. They can look at it. If they have questions on it, they can come back to me and we can then work through that issue Again. It's just like having a policy of my wife has a Kona ice business, so she's got a small business and we have employees. We have very specific policies in place as it relates to driving while on their phone. We have policies how they are working through, dealing with money, dealing with inspectors.
Speaker 1:All of those things are policies that are defined and it's just to set the expectation with the employees. They understand what is expected of them, what should they do, and so, therefore, having these policies from a cybersecurity standpoint already done, it also helps prevent duplication of effort and it does provide consistency in your overall plan and it does also help set the expectation, especially when you're dealing with employees that are in, let's say, countries such as Europe, when it comes to monitoring, logging and monitoring pieces. If you have that well defined now, the employees know what is the expectation around logging and monitoring. Also, when you work with the column works councils but they're basically bodies of individuals that are there for the employees. They're kind of like the union. I don't know how to really explain it other than from my knowledge, it's like having union reps and these people are going forward to the employees explaining what the company wants and, as they do that, if these things are well defined, working with the works councils, working with the unions, working with these other organizations, can go become very much, can be a much easier process than if you don't have these defined. So it's again there's a lot of really good benefits for having security policies defined and in place and operational for your employees.
Speaker 1:And then, from a protection standpoint, security policies do protect the critical information and the intellectual property by creating outline of the employees responsibilities around it and then how they should safeguard the data. If you define how you're going to have your employees protect the data, it makes it much more simple to then have that well articulated and defined. So, again, the great part is, if something were to happen and you have employees that are sending data outside of your organization and you have a strict policy on how they should protect the information, how they should not let any sort of business confidential data leave the organization, then at that point in time you can then go to them and saying you are not allowed to do this. Great idea is when you have email. So if I have contractors that work for me and these contractors are working on very sensitive information Well, as they work on the sensitive information, they tend to share it. Well, if they share it outside the organization, I now go to them and say our policy states you're not allowed to do this Now.
Speaker 1:If you have a good program in place at the beginning, when you bring on board these contractors, that is one of the first things they see is this policy around security and what they can and cannot do with the data. Now there's two types of main security policies. Now again, you could make this a little bit more like three, but there's really two types. Here's your enterprise level policy as it relates to what your organization will do. Now, the enterprise doesn't have to be a large, multinational, huge enterprise for this to be a policy. This could be your company. That's your enterprise. If you have a small manufacturer I'm going to hear in Wichita, kansas, so we have aircraft manufacturing. We have a small manufacturing facility that has maybe 150 to 100 employees. Of that, that is an enterprise level you come together with your policy. Your employees know that when they get on their computers, this is what they are allowed and not allowed to do. You also have this policy for their mobile devices. If they're using their Wi-Fi, if they're using your Wi-Fi company provided Wi-Fi, then here is the policy they have to go through and they have to deal with as it relates to overall using your Wi-Fi services. So, again, that describes your organization's general security goals and the principles defined.
Speaker 1:You can get as creative with this as you want. You can also get as very specific as you want. Keep in mind, again, anything that you put out there from the company stating from company XYZ, this would potentially be something that could be brought up in legal proceedings. So you want to make sure that you do it in a way that if it's brought forward, it's clear, it's concise and it's to the point. Again, these are the ultimate goals to protect you and it's designed to protect the employee. You want to put these constraints in place for the employee because I've seen it where you don't have a policy around.
Speaker 1:Let's say, sexual harassment you think of. I mean, I first got into this. I thought sexual harassment was somebody hitting on another individual, was making lewd comments, was doing something like that towards another individual. But when you get into the internet space, you now have the ability to see maybe porn, maybe just even scantily dressed kittens. I don't know. You think of something, but it could offend someone else, depending upon what you're watching on your mobile device or on your company's device itself. Well, therefore, they could feel harassed, they could feel not comfortable because of that, and rightfully so. But if you have this policy defined, now when the person does that, you go to them. Hey see, you can't do this because so-and-so is being offended by what you're doing. That person really has no legal right to say well, I didn't know If it's defined in the policies they've been presented, the policies, they know that going into it. So it's again, I'm really droning on this but it's because it's to protect your company and it's designed to protect the employee as well.
Speaker 1:Now, when you're dealing with an effective security policy, there's some key things for you to consider. One is their scope, your purpose, your roles and responsibilities, standards and guidelines, enforcement of end compliance, exceptions, and then, obviously, review and revision. So let's get into what is the scope, when you really we kind of alluded to this already during the podcast you clearly want to define the policies, coverage and where it goes. What does it cover, what does it not cover? And I think in some cases, calling out what it does not cover is almost as important as what it does cover. That there might be a situation where, if you want to make it a very broad brush kind of policy, you will want to have in there very specific places where it will not cover this area, and then that way there is. It's not left for interpretation. I've found out is that the more you have these things open for interpretation, the things go sideways. They really do.
Speaker 1:You also want to have on your purpose, why the policy exists, what is the overall purpose of the policy, and now again, the language. The LLMs will help you a lot with that. If you just put in I want the scope, I want the purpose, I want blank, blank, blank blank, it will then come out and spit out a really good policy for you that you then can go in and tweak to meet your specific organization's needs. Now, standards and guidelines these provide the detail, rules and the best practices for you to follow. So when you're dealing with your policy, you come up with your policy. You then say, okay, well, now I'm going to have my standards and what I'm going to do to follow, though, and then I'm going to have the guidelines as well and that tells them what to do. You're going to have your enforcement and compliance piece of this, and that is okay.
Speaker 1:If they don't do it, what are you going to do about it? And you really need to think about that. Is there going to be some sort of legal repercussions for it? Is there going to be a fine of some kind? Is there termination due to it? All of that needs to be well defined for the employees. So, again, you want to try to get out as much ambiguity as you possibly can when you're dealing with these policies.
Speaker 1:Like everything in life, there are exceptions. You're also going to clarify the exceptions between these. You want to say what is allowed and who can grant them. That's an important part of this. In many cases, that is limited to a very small subset of people. Then, also, at the end, you want to define the review, the revision and so forth that goes into it.
Speaker 1:You want to establish a process for creating updates, and one may be as simple as saying this will be addressed, will be reviewed on an annual basis, and then you have it set up that in November what we've done in the past is in November, december I review my security policies. Why? Because usually in November, december, things are a little bit slower. That's a good time for you to go and review them, and that's your annual review of your policies Works out pretty good. Again, now, if something comes up and a situation arises where you have to address a problem immediately. Once you've addressed the problem and you find a gap, then you need to address the policy immediately. You don't want to wait a whole year, but if you haven't had any issues throughout the year, usually an annual review of your policy is a good place to start.
Speaker 1:Now there's some simple questions to ask yourself when you're building a security policy. What data needs to be protected? Do you have personal informational data? Do you have intellectual property? Do you have financial data? All of that needs to be decided. What needs to be protected? What is the most important for your organization? What are the crown jewels? And it could be as simple as I have patient data and I need to protect this patient data.
Speaker 1:Okay, are there any requirements around you? Having this patient data anonymized so that people can't see who they are? Who has to have access to this patient data? All of those things need to be understood as what is the data that needs to be protected? Who has access to this data is another aspect. So is it in your entire organization that needs to have access? Is it one subset that needs to have access? Who needs to have the access to this information for your company? How will the instance be reported and handled?
Speaker 1:Something happens, data is disclosed. Guess what it's going to happen You're going to have data leave your organization. No matter how many protections you put in place, it's going to leave. It's not 100% and if you try, I would highly recommend you do not promote the fact that we will keep all the data inside your organization. The moment you say that you will fail because it will leave, it finds ways to get out of your organization, with or without your knowledge, and therefore it's important that you have a well-defined policy on how to handle it. What will be your encryption standards? How will those be applied? Something to consider I know just came out recently is the encryption standards that Apple put out for iMessages. Again, those are important factors that are going to be part of this overall organization or overall plan.
Speaker 1:Now, again, what you want to consider is some of the potential examples that you have, as it relates to a policy. You have acceptable use. That's IE using company resources, it's computers, networks, email. All of that is an acceptable use policy. You want to have policies outlining passwords requirements. Do they have to put in a 10 character password? Do they have? What are the different password requirements they have? And then you want a policy addressing the physical security measures, ie access controls, visitor logs, etc. All of that stuff you want to have available for your employees so they understand what that is.
Speaker 1:So now we're going to get into standards, baselines, guidelines and procedures. So what are a standard? A standard is developed and enforced by authoritative bodies, ie governments, industrial associations, professional organizations or your company. You guys can set the standards of what happens. Now I've got standards that I set for my, for our IT organization, but I've also get standards that are set by regulatory bodies that deal in what my organization, my company, deals with. So we have different standards that are set up by these bodies and these are there to help their hair, to also give you guidance and direction on what you need.
Speaker 1:These standards, again, can be regulatory, where, ie you have challenges that if something happens, the government will come down on you. They can be voluntarily, they can be regulatory, but they're also voluntarily followed. They can be technical, operational as well. So they can be all these different categories that are available to you. These categories can be such as they can be regulatory, voluntary, technical or operational. So something to consider. As it relates to the regulatory, I have to meet certain regulatory requirements by the US government as it relates to certain specific parts of our company and if I don't meet those then I will potentially be fined and or there could be some sort of legal prosecution against me. That's what happens with the CISOs today. There's more legal issues that are kind of arising out of all of that and so that's therefore I have to follow those. Now there also are some voluntary standards that they recommend you do.
Speaker 1:How would you implement Wi-Fi at your location? That's a piece of it. Technical piece of this I don't. I haven't really seen the government or any sort of standard that's come down specifically from outside my organization Give me a technical standard. But I have provided technical standards to individuals within our company and then obviously, the operational side of the house. I've done that from an inside to our organization. So again, you need the technical and operational piece. You're really not going to get a lot of outside government bodies telling you what to do.
Speaker 1:But now professional organizations I will say ICS squared, there's different chapter groups. They don't really tell you what you have to do, but they give you technical guidance on what are some things you can do within your organization. You want to establish minimum requirements, such as best practices and benchmarks, for the overall security, performance and compliance of your organization. So you have these best practices in place. A good example is I met with a company, chatted with them on the phone and it gave forward to them some best practices in which that company can do these different things. And so the ultimate goal is is that they want to protect my company's data. So I can't tell them what to do, but I can give them some best practices and some benchmarks that they can use within their organization. Now that's a standard that can be used as a best practice standard, and I can refer back to that standard saying, hey, if you follow this, you will be in a much better position to protect my company's data.
Speaker 1:Now there are some pros and cons, obviously, of doing any sort of standard, such as it does improve the quality of the security, it does consistency and the inoperability between organizations, but when you add standards, it does add cost. Why? Because you're now setting a bar to a certain level that people will have to meet. It also adds complexity, which means things at you, set at this level, in six months could be at a very different position. Let's just look at LLMs and AI. I kind of come back to this because of the fact that that space is changing all the time. Well, you set that up. Now you have the complexity that you have to kind of deal with. Okay, so baselines Now these are derived from standards, policies and or potentially historical data that you have.
Speaker 1:Now these, what a baseline would be, would be something similar to a configuration how you will have a maintained, a certain performance or, specifically, a risk that you're willing or not willing to accept. Now you want to have some way to measure and monitor these changes and any sort of deviation that may go from your specific baseline. So let's say, for example, you have a baseline that I want to have all of my systems to be patched with X patch, whatever that might be. So you have to have a way of if they're all patched at this level, is there a way to determine when they are they're in this current state, when they start changing from that current state? So, as time goes right, you have a certain patch you need to keep updated. Well, you'll. As you get into an organization, you're going to find out real quick that most of the systems in there are different patch states. Some are patched all the way up, some are not so much, some are not bad men patched in forever. So you're going to find out how do I deal with that. Well, if I bring everybody up to a same state now at some point though the time keeps going there's going to be deviations and derivations from that state, so it's important for you to keep track of all of that.
Speaker 1:Now there's pros and cons of maintaining a baseline such as it does increase your security, visibility, your accountability and the overall improvement of your organization. However, like the downside, the con of this is it does require resources, updates and continuing adjustments to your baseline. So, again, you have to be careful. It's from coming from the military. We were very specific, very checklist driven, and it's important to do that. But what also happens is that then you become a that we call it the self-licking ice cream cone, where you're constantly having to make changes for this thing that you created. And in reality, you didn't need to be quite so specific, and because you became so specific, it created a lot of additional work or potentially waste. So therefore, you just got to be really careful on when you make these baselines and the stand and the standards as well, so that you give yourself a little bit of room, so that you're not constantly updating and managing these systems.
Speaker 1:Now, as it relates to guidelines, they can be very general, they can be specific, they can be flexible or they can be even mandatory, depending upon how you set these up. They're also they're designed to help you provide recommendations, suggestions and, potentially, options for security implementation within your company. So if you define a guideline to your IT professionals, this is how they would implement this. Now, you'd want them to be very specific, if you need them to be specific, but you also want them to give them the flexibility that they need. They see something different, they can pivot, they can move from that. Now, there's advantages and disadvantages for using a guideline. The one is they help facilitate security customization, so they can make a very good security program as well. They do allow for a lot of innovation and adapt and adaptation by folks that are implementing these security controls.
Speaker 1:However, if you create a guideline, they can be ambiguous. These are like big $10 words. You can be ambiguous and they can be inconsistent depending upon one. When you, who wrote them two is also the time that it took when they were last wrote it. I wrote it See, there's some really good English, for you wrote it oh my gosh, my wife would just be all over me wrote or had written, had written inconsistency, and they also can have there can be conflict between the different guidelines. So if you have one guideline that says one thing and you have another one that says something else and there's subtle differences between the two, you can have conflict between them.
Speaker 1:Now, procedures these are designed and executed by security professionals that are wanting to do things, but they also can be done by users as well, and in many cases, you see the procedures that are actually accomplished by automated type tools that you may have in place that are providing these types of scripting that may end up implementing security aspects of it. Now there's these procedures can be either routine they can be emergency, emergency, preventive or they can be corrected. Procedures they help define and document specific steps and actions and the tasks that the security functions and activities may occur. Now, when you're putting these in place, one thing to think about is the security, efficiency of doing them, how effective they are and the reliability of them. So that's a great advantage that they're constantly running. They can you don't have to worry about especially if they're automated that someone makes a mistake, so they can be extremely effective in that regard. However, because they are can be automated, they can cause errors, failures or delays, and what I mean by that is I've had many times where a security tool has actually gone out in a way to actually do something good for security and created more of a problem.
Speaker 1:It's brought certain parts of companies to their knees because you're putting in place security tools. A good example would be that you implement some sort of something against your your service accounts and your service accounts have to have their password rotated. Well, that's fine, for if that system can allow for password rotation. However, you have an automated system that's going in and rotating passwords, but then it hits a system that it can't automatically rotate the passwords on and then it causes a break or it rotates the passwords and it doesn't do a good job when it effectively did that and now it breaks the system as well. So it can cause, it can cause failures and which makes people very unhappy and you lose money and you lose time, and then security gets a black eye. So you want to make sure that you have a really good plan when you're putting in place any sort of procedures, especially from an automated standpoint within your company and your organization.
Speaker 1:Okay, so let's just talk cloud computing as an example. So if you guys see my screen and you go see this at CISP cyber training, cloud computing again will bring you a lot of different things from storage, databases, networking. All that stuff is available to you and people choose cloud computing. Why? Because it's highly scalable, it's flexible, it can be cost efficient. See, it depends. I'd say it's pretty much a wash, but it does allow you to get a lot of innovation, allows you to stand up systems very quickly and tear them down quickly. So there's a lot of great benefits for cloud computing. However, there's also significant security challenges that are involved with cloud computing, such as data loss, malicious insiders. We do know that security folks, that there's a lot of people going after cloud configurations. Why? Because people don't know how to configure them correctly and therefore, pointing myself and if you try to go in there and do that, you make mistakes, and as you make mistakes now, it opens up the door for people to get into your organization. So there is challenges, right Well, as an organization, you want to really adopt some level of a security standard, a baseline, guideline and a procedure to address all of these specific risks that are out there, but also to address the responsibilities of using these cloud services.
Speaker 1:One way you can do that is by using best practices and or frameworks and standards to do this. The cloud security allowance alliance, which is CSA, that they provide best practices on how to manage your cloud computing environment, and they also. Then you have your standards on ISO your ISO 27,017 and 27,018 are also around cloud standards as well and then you have your best practices of what CSA provides. You have your framework or your standards at which the ISO provides, and then you have your policy that you provide. So you have all of those things that are in place to now provide a relatively safe environment for your cloud in space.
Speaker 1:Now, that being said, there's a lot of gaps in there. There's a lot of things that can go wrong, but at least you've defined what those are, versus going let's just wing it and see what happens, because when you wing it, things don't go well. Take it from me I've won. My wife will tell me all the time you wing way too many things. I kind of just throw it out there and see what happens. That's okay on some cases, but in many cases especially when you're dealing with the security of your company probably not the best option.
Speaker 1:Okay, so let's roll into business continuity plan. And how is that important? So I'm just going to do a quick overview of the BCP and understand what is a BCP. Why would you do it? So a business continuity plan is a practical guide to develop by companies to enable continuous operation in the event of a major business disruption Makes sense, right. The goal is that if something goes down, you have a plan to be able to bring it back up or to at least operate your business in a way without that piece of equipment or that process that's in place Now. It does involve a lot of work with your senior management and it's overall analyzing the impact of a disrupted business process or unit and how that would affect your organization.
Speaker 1:So now, when you're dealing with a BIA, you need to have some sort of BCP. I should say you need to have some sort of do an impact analysis. We call it a BIA and when you do a business impact analysis, you're going to want to understand what are some things you need to do with as it relates to a BIA. One is project initiation. You're going to want to define the scope of the project and agree that a BCP, which is a business continuity plan, is developed. You also need to have a contingency planning policy statement. We come back to policies. You need to have that defined of what are you going to do Now. I'll tell you right now.
Speaker 1:A BCP is not designed for your entire company. If you want to have that level of granularity, you would create a disaster recovery plan for all of the different organizations within your company. A BCP is a very laser-like focused on a specific business unit that you have. So if you have one business, one unit, that if it goes down, my company makes no money and life sucks, then you would do a BCP for that. If there's a part that if this part of the hospital goes down, people die, you would want a BCP for that. Now you wouldn't necessarily need to have make sure Wi-Fi is available for all the people in the hospital, that you wouldn't need a BCP for that because it's not really that much of a business impact, but when you're dealing with something specifically within your organization, that is critical. You'd want to have a business continuity plan develop.
Speaker 1:Now, as you're doing a BIA, you want to understand, identify, quantify and qualify the impact of loss, interruption or disruption. You got to be able to put numbers to this and you got to be able to explain. If something went down, what would it impact? People going to die, going to lose money, going to have regulatory requirements that I'm going to have to pay for? I don't know, are all the inmates going to escape? You have to define what is that loss right, and this is a crucial part that uncovers the activities and resources not initially present in the scope. What that basically means is the fact that when you first think of what it is, as you talk about it, you realize, oh, there's something over here, oh, there's something over here, and as you peel back the layers of this onion, as they would say in Shrek, you find it very, very interesting. There's lots of more things that you did not implant for and did not anticipate, and hence that's what the business impact analysis will do. I've seen it many times where I do a BIA and I pull back the layers of this onion and I go wait a minute, there's a server sitting over here that if it goes down, the entire facility goes down. Yes, well, that's not good.
Speaker 1:And then you would have to deal with how do you deal with that? Then you have identified preventative controls. You want to determine the common threats to critical functions and consider any associated vulnerabilities that could be to that. Now, those vulnerabilities could be from an outside hacker, they could be from something else entirely, but you want to understand all the associated vulnerabilities with that specific problem. You want to have a recovery strategy. How are these set up? And these are based on the findings from the BIA. You would establish recovery strategies based on that.
Speaker 1:You want to design and develop and this would be a contingency plan. You would implement training, testing and so forth and you'd train the relevant personnel and then you would then test the plan. You basically implement it. You develop it, you implement it, you train people, you test it and then you put it in place and then you go back and you reiterate and you test the plan once again. And that comes back to the BCP maintenance. You want to effectively update and maintain your BCP to ensure that it's going to be effective and it's going to be available for you when something happens and it will happen at some point. It may not happen to the full level, but I'll tell you right now. Covid have kicked me hard because we had already put in place things to deal with business continuity. When COVID hit, everything changed, but we had already processes in place to ensure business safe and continuous business operation.
Speaker 1:Thing to keep in mind is a BIA plays a crucial role in the overall scope of your business continuity plan and you want to do an impact analysis Because, again, it will help you determine what you hit and what you didn't hit. You can look out there on the internet on how to do a BIA. Chatgpt will give you some guidelines on how to do a BIA. But the impact of this is sudden loss of business functions. Usually that will be in terms of in a cost to the business. Now I say that I've done these four financial pieces of it and how it affect my business. But also, if it were to be impacted, how could it affect a company from an environmental, health and safety standpoint? So something shuts down processes aren't designed well to be shut down just like that. What happens? Well, things can go boom If things can blow up because of that. That's an EH&S issue that you have to work through, and then it helps companies determine the financial impact and potential personal impact of outages or any other disruption to their business. That's why BIAs are so critical. Okay, that's all I've got for you today. I hope you guys have a wonderful, wonderful day.
Speaker 1:Again, you got a shameful plug.
Speaker 1:Get on over to CISSP cyber training.
Speaker 1:You get all the training you want for a study for the CISSP exam.
Speaker 1:It's there and it's available for you. For the CISSP, it'll walk you through from step one to step 20. It's got all the videos that are there for you. It's got all the courseware that's there for you. It's got a blueprint that's available to help walk you through this confusing book, because, I clear, you guys are watching the video. Here's the book. Okay, it can be confusing, it can be hard. The ultimate goal is to take all of the information that provided through CISSP cyber training and have it available to you so you can listen to this, you can get it, understand it. So when you go and you pass the CISSP which you will then at that point in time you put good funds into something that you can be successful at, and then you can take your CISSP and you can go out and protect the world from the evil hacker horde, because they are out there, they're growing and they are causing lots of disruption. So have a great day and you know what? We'll catch you on the flip side, see ya.