CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 260: CISSP Rapid Review Exam Prep - Domain 1 - Part I
Ready to conquer CISSP Domain 1? This rapid review episode delivers essential knowledge on security and risk management fundamentals that form the cornerstone of information security practice.
We begin with a timely discussion on preventing ransomware through exfiltration controls, noting the alarming shift where 90% of ransomware attacks now involve data theft. The practical advice on implementing zero trust architecture acknowledges real-world challenges while providing actionable steps for gradual deployment.
Diving into Domain 1, we explore the ISC² Code of Professional Ethics and its four critical canons: protecting society and infrastructure, acting honorably, providing competent services, and advancing the security profession. The CIA triad (Confidentiality, Integrity, Availability) is thoroughly unpacked alongside the critical concepts of Authenticity and Non-repudiation, with practical examples of how these manifest in organizational security.
Security governance emerges as a crucial topic, emphasizing the necessity of aligning security efforts with business objectives rather than operating in isolation. Practical guidance on establishing effective governance committees, defining clear roles, and implementing proper segregation of duties provides real-world context beyond theoretical concepts.
The complexity of compliance requirements is demystified as we navigate legal regulations, industry standards, contractual obligations, and escalating privacy requirements. Particular attention is given to data breach notification timelines, evidence collection procedures, and transborder data flow considerations – all essential knowledge for modern security professionals.
Whether you're preparing for the CISSP exam or seeking to strengthen your security program, this rapid review provides the comprehensive foundation you need. Visit cisspcybertraining.com for additional resources including practice questions and study materials to support your certification journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Let's go. Cybersecurity knowledge All right let's get started.
Speaker 2:Good morning everybody. It's Sean Gerber with CISSP, cyber Training, and hope you all are having a beautifully blessed day today. Today we're going to be doing something just a little bit different with the CISSP. So typically on Mondays I have a CISSP domain and then I have the questions that are going to follow up on Thursday. But this week we're going to do something just a tiny bit different. So I have created a CISSP rapid review that's available for folks. You can go to YouTube or you can go to my website and you can download it and look at it and it's pretty awesome and it's a rapid review over domains one, two, three and so forth on all the domain eight.
Speaker 2:But this is going to be the rapid review of domain one, and so it's going to be a two-part series. We've got one that's going to hit today. Obviously, the first part of domain one and then the second part will hit on on thursday will be the second part of domain one. Now the plan is is that this will hit this week and the next week I'll get back to what I was doing and then I'll another one for domain two will come out and we'll do that as well. So the ultimate goal is not changing anything of what we do for CISSP Cyber Training. It's actually going to give you the rapid review. It's going to go over domain one and the design of it is so that, as you're getting close and getting ready for your test, you can go through this rapid review questions and are not questions but content and then you can kind of feel about how are you feel comfortable with right, with domain one, how do you feel with domain two? It gives you just an idea of where you're at in a review process of it. So there'll be all eight of them will be available to you and it'll be approximately probably between all of it, around eight to nine hours of actual content that's available. So it's gonna be pretty cool. I hope you enjoy it. Uh, this will be the first. One will be about 30 minutes long and the second one by about 30. Domain one, or domain two, is a bit shorter. Obviously that's a smaller domain and there isn't many questions tied to it, but those will be coming here and you'll be seeing those in the future.
Speaker 2:But before we get started with that, I want to just kind of walk you through an area that I saw, an article that was around stopping ransomware in its tracks with exfiltration prevention. Now, this is one of the things that I think is really important. Is you obviously they want to do the destruction piece of this, but a lot of times, folks, they have to get the data out of your organization to utilize the overall blackmail aspects of it, and this will help be. I mean, obviously, the destruction part is a big factor in any organization, and having it destroy your data and then not having the backups or all of that whole drama that goes with it. From the 2025 Verizon DBI report is that 90% of ransomware attacks it did involve some level of data exfiltration. So if you can stop that, that's a huge part. The statistics that came with it also said in 2023, there was up from 85% and then, which was interesting is in 2019, when a lot of this started, it was at 10%, and then, which was interesting, is in 2019, when a lot of this started, it was at 10%. So data exfiltration obviously is a huge factor for any sort of organization, especially when you're dealing with a ransomware type attack. Now, one of the things they recommend that you do, obviously, is you monitor for abnormal data movement using DLP or NDR, your network detection response type of equipment that you may have within your organization. One of the things that is an issue that people do run into is a lot of the traffic that is exfiltrated is exfiltrated via encrypted channels. So you may have to invest in some level of decryption capability to really allow you to be able to capitalize upon that. But having large numbers, having something that can verify that there's actually data leaving in substantial numbers, would be also valuable. So you may not be able to see that the exfiltration is occurring because of encryption, but if you can see actual size of data that's leaving, the actual, no kidding volume, that may give you a trigger that your data is trying to leave the organization.
Speaker 2:You need to restrict file transfer tools. Obviously, such as WinSCP or any sort of raw type of activities, don't allow exfiltration of data from normal activities. So you're going to have to really work with your teams to understand that they also use immutable or encrypted backups. Obviously, the encrypted backups are an important part. So if you do any sort of backup activities and they're making them immutable, uh, basically you write once and read many that that's an incredible part of where I've seen it that folks will install the ransomware inside the backups and then, when they're encrypted, they are or they're tampered with it on the way up, as it's going to being set to the backup locations so that that way, when they pull it down after an incident has occurred, they now have the encrypted file within their organization. So you're going to need to really make sure that you have some good software in place that will look for malware ingested or injected into the overall backups, as well as ensuring that you have immutable backups to ensure that they're not reinstalled with malware. Obviously, having strong identity and access management to include multi-factor authentication is a really good way to limit the access and stop some sort of credential abuse.
Speaker 2:And then, if you can, adopt a zero trust. Now I will say the zero trust piece of this is an easy word to say. It's an easy bumper sticker. Adopt zero trust. That's what they talk about in the article. We all know that adopting zero trust within your organization is extremely challenging and I would say in some places it's probably impossible. But adopting zero trust in certain areas within your organization is definitely doable, and it could also look at it as the hospital you never get out of where you go within one part of your organization you start to implement Zero Trust and then in another part, you open it up or you will install it or install is not the right word but you'll deploy it as time goes on in another part of your organization. So kind of, keep that in mind, zero Trust.
Speaker 2:I really want to do a podcast on that specifically, because there is a lot of value that can be had from zero trust. But as an architect, you know there's no way. No way is not the right word. There's highly unlikely that you're going to be able to deploy this completely through your organization without destroying a lot of stuff and without having a significant amount of buy-in from senior leadership. So it can be done, it is being done. It's just I don't see it done on mass scale and but you know what? And to pull it through your organization and that. You can prove me wrong, which would be awesome.
Speaker 2:So, that being said, that's a great part about the article. I would highly recommend you read it. Um again, kind of start, and I would recommend reading these articles to give you some kind of juices in your brain as things are occurring within your organization. You go oh yeah, what about that? Oh yeah, there's been a lot of different security mechanisms that I put within my organization, because I was reading articles like this and going, wait a minute, can we do this really easy? Can we do this simply? Can we do a part of this? And that is a really, really great thing to do. It also is something that you show your senior leaders in my case, with my CIO and my CFO of that. You are constantly thinking about new options for the organization and how to best protect it. They won't always buy into it, but at least you're thinking about it and you're trying to better protect your organization.
Speaker 2:So now that's all I've got for you on the article side, but let's roll into the rapid review for domain one. Hey, all it's Sean Gerber with CISSP Cyber Training and this is the CISSP rapid review exam prep covering domain one security and risk management. So this is the question breakdown per domain and we're going to start this off with domain one, and domain one, as you can see, is about 15% of the questions are coming out of domain one for the CISSP exam. Now, as you look at this and as we go through this rapid review, you're going to see domain one has a lot of content in it and therefore that's why they have 15%. As some of the different domains have less content, then they have less percentage involved with the overall questions. But overall, if you look at this, it's pretty well evenly stacked between all the various domains from basically as low as 10% up to as high as 15%. So the bottom line in all this is you're going through this rapid review.
Speaker 2:One of the things you can ask yourself is how am I understanding this content view? One of the things you can ask yourself is how am I understanding this content? So if you go to CISP Cyber Training and you try some of the quizzes and you go you know what I'm getting these really well, then don't maybe not take as much emphasis and much time on studying those as you would on areas that you struggle with. I have some of my students struggle with the software development aspects of this, and so, because of that, I would recommend you spend 80% of your time on the 20% that you struggle with. So, if you look at the infographic to the right again, devote 80% of your time to the 20% you struggle with. It's the 80-20 rule. However, that does not mean you ignore the last 20% of going. Yes, security and risk management, I get it, it's good, so I'm not going to study it. Not a great idea, that's a bad idea. But it does mean the fact that, as you go through my course, I have a blueprint that's available to you on CISSP Cyber Training that will walk you through step-by-step, the book, all of those things. But as you go through those different steps, you may go you know what I've got this, and then, as you move to another area, I don't. So when you get through the entire book, then the aspect is is come back to the areas that you feel that you have the most that you're the most weak in, and so again, ultimate goal is to focus on the areas that you can do your best in, but also be able to focus on areas that you don't understand the content and you want to spend more time on it. So that's about basically what I want to break down with this. So we're going to get into domain 1.1. And this is.
Speaker 2:There's basically 13 different subdomains tied to section or domain one, I should say. And so the first one is going to be professional ethics. So as you study the book and you're gone through the book and the different trainings that are available to you, you're looking at what are the professional ethics and how does this work. Well, these are the code of professional ethics from ISC squared. They have this defined within the book and there's various canons that are associated with it. There's four specific canons and the goal is to one. The first one is to protect society, the Commonwealth and infrastructure. The second is act honorably, honestly, justly, responsibly and legally. The third is to provide diligent, competent services to the principals. And the fourth is to advance and protect the profession. So all of those have a very important part in the overall professional ethics of the CISSP, but mainly in cybersecurity as well. The things you're going to be learning in as a security professional is that you have a lot of power potentially in the capabilities you have, and therefore you need to use these skills that you have in protecting society. They're going to be looking to you on how do I use these skills to be able to protect critical infrastructure, to be able to protect banks, to protect people's individual livelihood, and so therefore, that's an important part of this. They also want you to act honorably and justly and honestly.
Speaker 2:Because you know this information, it's very easy for people to come to you and go hey, what do you think about this? Well, you could go. You know what? Yeah, I can take care of that. I know exactly what you think, what you need. That is not the right answer, and the reason is is because you don't know everything and now you may have to get some more information on it. You may want to come back and say, hey, I can help you, but I need to get a little bit more information before I do that. They also want you to provide diligent and competent services. Don't kind of just gloss over stuff you could be able to get a lot of information from people and therefore then you can potentially help them. But if you don't do it in a way that will help them correctly and you just go, yeah, I can do some security services for you, throw some pixie dust at it, see what happens and you know what, that won't work. It may give them something and they may pay you some money for it, but in reality that's just not the way you should be doing business. And then, lastly, is advance and protect the profession. That's what we're doing right here, is that we're advancing and protecting the profession in the fact that we're providing services to you to be able to use them so you can become security professionals on your own.
Speaker 2:So again, those are the four canons tied to the ISC squared professional ethics, now the organizational code of ethics. These are specific rules set up by the company and that's their values that'll help guide and direct employee behavior. Now this comes into practical guidance for daily ops, policies and procedures, different types of things that your company's going to put forth to help people with making ethical decisions in what they want to do and what they want them to do on a daily basis. It helps in their decision-making process. One example, might be acceptable use policies. You're going to have a policy for acceptable use and you're what you want your employees to use company-related assets but if you don't tell them to do it, they go and start surfing bad sites and what ends up happening? Well, they introduce malware into your organization. So one your morals or your thought process is not being spent on your employees because now you don't have policies in place to do that. So, again, those are the high level principles that you need to put in place as a security professional. It also helps reinforce compliance, fosters trust and then helps mitigate any risks related to employee misconduct or negligence. Again, like I mentioned before, if you don't have a good, acceptable use policy, your employees will just go use their computers on whatever they see fit, or give it to their kids, and their kids will use it. I've had to deal with that before. And then how do you deal with those situations? So the ultimate point is this is what your organizational code of ethics are and the importance of them.
Speaker 2:Domain 1.2, this is applying security concepts. So there's a couple different facets of the domain 1.2. We're going to kind of go into each of those here in just a second, so we're going to start off with the CIA triad, and this is confidentiality, integrity and availability so you hear a lot about that as you've been studying for the CISSP exam and confidentiality this helps ensure that the information is accessible only to authorized individuals and it prevents unauthorized disclosure of sensitive data. So you're ensuring that the data is confidential, that nobody else can see it and that it's only accessible by those that are authorized to actually have access to it. Some things that can be used for confidentiality would be encryption, access controls, data classification and various privacy policies as well. All of that is tied to confidentiality. Integrity this helps maintain the accuracy and completeness of the data. So if you have your data that's in a log storage facility, you want to ensure that no one tampers with it. Okay, and if that, no one can tamper with it, it helps ensure the integrity of the data and helps ensure that it's complete and it's consistent. It also protects against unauthorized modification or destruction, which is one of the areas that the hackers may go after is looking for this type of information and therefore having the ability to destroy it or manipulate it in a way that hides what they've been doing. So examples of this are hashing, digital signatures, maintaining and managing version control, and then access controls and change management. All are tied to the integrity part of domain 1.2. All are tied to the integrity part of domain 1.2.
Speaker 2:Availability guarantees that authorized users have timely and uninterrupted access to information and resources. It also ensures that systems and data are operational when needed. So the ultimate point of this is that it's available to people. If people turn on their computers, they have access to it, they have access to the data that they actually need and they're authorized users for that specific data. So a good example of how this could be affected would be a denial of service attack and that would define or that would stop you from having availability. So you have different ways to create this and protect this through redundancy, fault tolerance, backup and recovery and disaster recovery plans, competency, fault tolerance, backup and recovery and disaster recovery plans. All of those pieces all fit into the availability piece around the cia triad.
Speaker 2:Authenticity now this is a part that verifies the identity of the user in the process, in the system, and it confirms that the information or resource is genuine, and this is something that we deal with in the ai world, too is now do you know that those pictures are genuine or not. That's really hard to tell sometimes, but the ultimate goal, though, is is that this verifies that the user, the process or the system is authentic. And how does this done? This is done through passwords, multi-factor authentication, digital certificates and biometrics. So you want to make sure that that it's not. You want to make sure that, but they it's. The design is that, when you hear people talk about authenticity, is that you have the different controls in place to ensure that these things are authentic. Your password aren't being passed the hash and they're being passed on to somebody else. You have digital signatures to verify that certain equipment is whose it belongs to. What are the biometrics associated with your eyes right? All of those aspects are around authenticity Non-repudiation.
Speaker 2:This helps provide undeniable proof that there's a specific action or event that has occurred and prevents any party from falsely denying it. So the ultimate point is that, with your non-repudiant, if I come in and I say I am Brad Pitt, well, you all know that that is not true by any stretch of the imagination, but this provides undeniable proof that, when you have the documents that are there and you have your data that is there, it's undeniably proven that you, this specific action or this data belongs to these specific systems systems. It also ensures the sender of a message or the performer of an action cannot later come back during an interview or during some sort of legal situation and say, no, I didn't do that or I did do that. The point of it is that to ensure that there's consistency and that you can't deny that this email or action was done by this person we talked about some of the examples. You had digital signatures, you have logging and monitoring that's available, and then you have third-party timestamps that are set up specifically. Now can all this stuff be spoofed? Yes, stuff can be done to it to help obfuscate it, but the ultimate goal is that you create a system, as a security professional, to take into account all of these different aspects. Your CIA triad, your authenticity and non-repudiation are all pieces that you need to consider when you are deploying cybersecurity solutions.
Speaker 2:Okay, so, domain 1.3, security governance principles. So the ultimate goal in this subsection is to kind of get into different areas around governance. So the alignment to business strategy goals, missions and objectives. Now your security efforts must directly support and enable the organization's core mission, strategic goals and then not to operate in isolation. I see this a lot. So when you're doing your security capabilities within your company, that you are operating in tandem with different aspects of your company, such as legal compliance, other parts of security and IT, you are not in a vacuum. You're not in a stovepipe I don't even really know how many people would ever get into a stovepipe but bottom line is you're not operating independently and you're working as a team. This ensures that your security investments are prioritized based on business value and risk tolerance.
Speaker 2:You're going to see this, as a security professional, that a lot of times you're going to go well, you have a budget. I don't have a budget. What should I do with my budget? You're going to come down to the fact that you have to show and equate what risk is being mitigated with the investments that these security folks are putting forward. What is the business value? And, as security people so often we do not always talk to the businesses and want to work directly with them you are going to have to do that. It's imperative that you, as a security professional, are working with your businesses and with your other leaders within your company To one understand the risk and then to put things in place to either accept it or to mitigate it. Those are different pieces that you're going to have to work through.
Speaker 2:Now the organizational processes this deals with acquisitions and divestitures. Now some security considerations need to be integrated in all of these aspects when you're looking to bring on a company or you're looking to sell a company. I've been through many, many acquisitions and divestitures and if you don't have security baked in at the beginning, it gets very messy about six months to a year down the road. So you have to consider that. And for acquisitions, you need to conduct thorough cybersecurity due diligence on the target companies. I had a sale. It was going to be a purchasing a company. I brought forward some of the issues that they had with acquiring it related to security, and that wasn't the only reason. But at the end of the day, we didn't acquire the company and it was due in part to what we had provided from a cybersecurity standpoint.
Speaker 2:Now divestiture same thing you need to have a good separation of your systems and data, to include data sanitization for the fact that you're going to sell your company off, and it needs to be built into this. So as you go into an organization and you look to go all right, what do we have in place and then you start putting your data in segregated buckets, knowing full well that potentially, some of these business units might be sold. You need to consider that and work with your business leaders to figure out how is the best way to make that happen. Now, governance committees you need to establish formal committees. These are security, steering committees, maybe working groups, risk committees. These all have clear charters, roles and responsibilities and what they're going to do for the organization and they will provide strategic oversight and approve and improve the security policies of your organization. Now, I've dealt with many working groups before and these working groups are set up that one of that are very good and some that I've set up that are not very good. You need to really understand what you're trying to accomplish with the working group and then what is the clear charter on what it's supposed to do. So those are really important aspects and I deal with this on a daily basis. So it's imperative that you kind of think about this now while you're studying for your CISSP. So it's imperative that you kind of think about this now while you're studying for your CISSP, because you will be dealing with this on a daily basis, guaranteed Okay.
Speaker 2:So part two is going to be around organizational roles and responsibilities. You need to clearly define and document your cybersecurity roles. This would be your CISO, your data owners, data custodians, and even the CISSP book goes into great detail around each of those. You need to define each of those areas within your company and I highly recommend the data owner and data custodian get that worked out really well. The data has legs. It will sprawl and if you don't define who are the owners and who can manage it, it's going to have all kinds of issues and you won't deal with it even short term. You'll deal with it long term. So it's an important part to define these capabilities situations.
Speaker 2:You also ensure proper segregation of duties to prevent conflicts of interest and reduce the risk of fraud or error. And again, segregation of duties is so important. I had one time where there was a security professional and he was our cloud person as well and he had rights to everything under the sun. That was a bad idea. Uh, we able to get that separated and configured to come differently so that he didn't have all that that power. But you need to ensure proper segregation of duties on almost everything you do and when you talk about this to application owners ask them that specifically, what are your segregation of duties or separation of duties as well? You'll hear it both terms separation of duties or sod, and segregation of duties. Bottom line is ensure you separate stuff.
Speaker 2:I think, if I said that, enough security control frameworks. There's various frameworks that you need to follow, and what is a framework? Well, a framework is just basically a guidance or guidepost to help you with a overall process. So, as an example, co-bit. All these are different frameworks that are designed to kind of step you through. What are the things you need to think about related to security? So, if you've got a certain area and access identity and access management how do you manage your identities? You have an area around governance. How do you manage your governance? There's different types of frameworks. I've been working with a bank recently and we're using the cri framework, which is focused specifically around financial institutions. So those are different ones that you can use for your company. They provide a structured, comprehensive approach to managing and improving the organization's cybersecurity posture and they give you just kind of, like I said before, guideposts to kind of help you walk through it.
Speaker 2:Due care and due diligence. Now you need to really understand the difference between the two. So due care is where you act prudently and responsible, as a air quotes prudent person would do. Now. You'd protect the corporation's assets, their information, and this level of care is where a reasonable person would take under the circumstances. So your reasonable person theory I try to go back to. You need to consider that in almost everything you do Now, due diligence is that you perform reasonable research, investigations, analysis to ensure that you have the facts, what you need to help make informed and really good financial decisions. Before basically jumping into anything, you want to make sure you've done the diligence to ensure that that's been done. This often precedes the due care. What it means is that you have done the research to make sure you have everything you need so that when you actually go make the decision, you have done everything that a prudent person would do.
Speaker 2:So due diligence and due care, domain 1.4, compliance and other requirements this is dealing with contractual, legal, industry standards and regulatory requirements. So we're going to break down each of these real quickly. So legal you adhere to national international laws impacting data. So if you have business that's somewhere around the globe, you need to make sure that you understand the country that you're in, their laws related to data breaches, data traversing or data transferring, different pieces around. What happens with the data? Is it protected to be encrypted while it's at rest? All of those aspects need to be considering when you're dealing with the legal aspects of it. You also need to comply within the regulatory pieces of this. This is specific industry regulations, so you would have GLBA for financial services, nydfs for financial institutions. Are you following any sort of requirements within the European Union? Do you have Chinese data privacy laws? Are you following the regulations specifically for that location?
Speaker 2:And then industry standards. You need to make sure that you conform to the best practices and benchmarks that have been provided, such as PCI DSS, iso 27001, the NIST cybersecurity frameworks. Are you conforming to those? Now, one thing I ran into when I was a CISO is that I would force or require third parties, that's, companies outside of my company, to be either ISO 27001 certified or, if they can prove to me through attestation that they are meeting 27001, I would kind of push them down that path. Why? Because then I knew they were at least following some sort of framework when they were going forward. Contractual aspects you're meeting security obligations defined in the agreements with the customers, vendors and partners, and you need to meet and exceed those contractual agreements that you have with these people, and that's another part around compliance and ensuring that you're doing that. This ensures that all organizations will avoid fines, legal penalties and any sort of reputational damage, because all of these things can have a huge impact upon you and your company.
Speaker 2:Now, privacy requirements these are protecting personal identifiable information. Now, a friend of mine in compliance said they don't really use PII as a name anymore, but I'm telling you that most likely, the CICP is going to ask you PII, and this is personal identifiable information, so you need to remember that term, but you may run into different types of terms of that when you're out in the real world. You want to adhere to global privacy laws such as GDPR, ccpa all of these different privacy laws that are in place. You, as a security professional, need to adhere to those, and that comes back to the overall ethics, like we talked about before. Now you implement principles like privacy by design, data minimization and purpose limitations these different principles that are out there. You need to basically understand those. You need to have established clear consent mechanisms and you need to understand individual rights to their data. Do they want to be forgotten? Do they want to have a right to access? You need to understand the regulations that are within the company that you're operating in and the regulations within the country that you're operating in that you are meeting these types of situations. You're meeting their data rights, you're meeting their understanding around where they should do with the data and how it should be stored, and this requires robust technical and organizational measures to ensure data confidentiality and user trust. So, again, you want to have technical and organizational controls in place to ensure that people are happy with what you're doing. It's nothing worse than to say if someone's giving you their information and they come to find out that you're not properly protecting it, it does erode the trust of the organization and of you, so you need to really have a good plan on how you're going to manage that.
Speaker 2:Okay, so domain 1.5, legal and regulatory issues. Now you need to understand the various types of cyber crimes, from fraud, espionage, sabotage, theft and the legal ramifications that will associate with each of those, and you need to understand that from a standpoint of how does espionage? If I have corporate espionage, how does that potentially impact my company? What would happen if one of my vice presidents is charged with espionage. What if I have an employee that puts a logic bomb within my company and sabotages the overall infrastructure of my company? How do I deal with that? You're going to need to consider all of those different aspects, and if you don't consider it now, you will when someone actually does it within your company. So, adhering to data breach notification laws these are a big one you need to understand. When do you have to tell somebody that yes, I've had a issue within my organization?
Speaker 2:This comes down to defining what is an event, what is an incident. If they need to use the term breach, what is a breach? And you need to define each of these in each of the areas that you work in. So, then, it may vary from state to state and also by vertical, such as if you're in the financial industry versus in the manufacturing industry. Each of those are very different. I know dealing with right now, working with financial institutions. 72 hours is what they had, and in some cases, it could be 24 hours, so it's really important that you have a plan on how you're going to deal with it.
Speaker 2:You need to ensure proper evidence collection and preservation for legal proceedings using digital forensics. You need to have a plan on your evidence collection and if you don't have that plan, you need to start considering that within your company. And if you don't have the legal teams, maybe go talk to your legal teams and ask them how should we do this? If they may come to you and say we don't understand how to do it, you may have to develop that Now. Again, that comes back to if you don't know. Tell them that, say maybe we need to hire a third party to help us do this, or give me some time to figure that out, and then we'll come back to you.
Speaker 2:Licensing and intellectual property requirements. So compliance with software licenses Is your organization following those. This helps avoid legal disputes and ensures you have legitimate software within your company. Protecting intellectual property I did this for my company and it's a challenge. It really is Such as patents, copyrights, trademarks all of those things need to be protected. And then you need to be able to provide guidance to your legal counsel on what should be protected, and in some cases I've worked with them to let patents go. They go. When would we need this? And I might talk to them about how do you want this data stored? Who owns the patents All of those different aspects around copyright and patent infringement was visited with many of my legal team when I was doing IP protection. You also need to understand the legal frameworks for IP enforcement in the digital realm Again understanding how these legal frameworks work and then how you're going to ensure that you are protecting the intellectual property of your organization.
Speaker 2:Import and export controls so there are times when you may send data or send intellectual property to another country. What are the import and export controls with this? And this is where you adhere to the national and international regulations governing import-export, especially of cryptographic technologies. So if you're going to be sending over some sort of encryption to China, what are the rules and regulations around that and is there any sensitivity to it? You need to make sure that you meet those compliance requirements for these trade restrictions and sanctions lists and you need to work with your compliance teams on doing that. Like I mentioned before, you need to have a very strong relationship with your compliance and legal teams to help you in this overall process.
Speaker 2:Transborder data flows this is where you're complying with laws and regulations that govern the transfer of data across national borders, especially as it relates to personal data and government secrets. I can't tell you enough that if you don't have a plan around transborder data flows, it's going to bite you someday. So if you have an international business, if you have a global business, you really truly need to consider this. And so when you go for, one of the first things as you start into a company is starting to understand where are all the data flows, where are they all going and what kind of data is going to these locations. A friend of mine mentioned to me many years ago it's all about the data and it really truly is. And you understand these data localization requirements and mechanisms for lawful data transfers. This happens a lot with GDPR. Is the data sitting in? And you understand these data localization requirements and mechanisms for lawful data transfers. This happens a lot with GDPR. Is the data sitting in Europe? How are you transferring the data out? Is it anonymized? Is it encrypted? What is being done with it? Those are your trans-border data flows.
Speaker 2:Privacy you need to meet the ethical and legal obligations required for its collection, potential storage and any sort of processing of PII. Again, there's that term, again PII, but you're going to have to understand. Do you have different obligations in place to keep it when you work with your compliance folks. They're going to help you with this, but they're also going to come back to you and ask you questions around what would you recommend? You're going to have to know those on what you should be doing. Comprehensive privacy regulations such as GDPR and also CCPA. Again, privacy core you need to implement core privacy principles like data minimization, purpose limitations, consent and individual data rights. Again, it comes back to privacy is a huge factor. You need to consider privacy within everything that you do and it should be almost coming off your lips as synonymously as when you're talking about security. They are very important that both of those are tied together.
Speaker 2:So that's all I've got today for the CISSP Rapid Review Exam Prep. This is over Domain 1. And now you can join me again. On Thursday You'll get the second half of this Domain Prep and it's going to be available to you. It's awesome. You can actually see the whole thing on my website or you can go to youtube. It's out there as well, but all of that stuff is available. Go go to cisspcybertrainingcom. Check that out all the free content that's available. There's even more coming here in the near future. Also, get my paid content. I have lots of paid content that's there.
Speaker 2:With that you get helps you walk you through the cissp. There's cissp questions. There's the overall blueprint to walk you through step by step. It's designed to help you, guide you through the cissp, and so you pass it the first time and don't do what I did and pass it the second time or the third depends, but it doesn't matter how long it takes for you to pass it, just pass the test all. Thanks so much and we'll catch you on the flip side, see ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes, as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora, or a cornucopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.
