CCT 296: Compliance and Contractual Requirements (Domain 1.4) Artwork

CISSP Cyber Training Podcast - CISSP Training Program

Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀

All Episodes

CISSP Cyber Training Podcast - CISSP Training Program

CCT 296: Compliance and Contractual Requirements (Domain 1.4)

November 10, 2025 • Shon Gerber, vCISO, CISSP, Cybersecurity Consultant and Entrepreneur • Season 3 • Episode 296

Send us a text

Check us out at: https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv

A tiny payload hidden in a legitimate-looking NuGet package can sit inside an industrial network for years, then trigger cascading failures in minutes. That chilling scenario sets the stage for a hands-on tour of CISSP Domain 1.4, where we show how to turn high-level rules into clear, defensible security controls that protect real systems and pass tough audits. We connect the dots between contracts that demand fast breach notifications, laws with sector-specific obligations, and frameworks that teach you how to structure your program.

We break down the essentials: identify the data in scope, pick a backbone framework (ISO 27001 or NIST CSF), and map each requirement to specific controls and evidence. You’ll hear practical mappings for HIPAA, GLBA, COPPA, FERPA, NYDFS, DORA, SOX, FISMA, and PCI DSS, plus how to handle extraterritorial reach under GDPR and data localization that shapes your cloud strategy. We also highlight why contractual terms often outrun statutes and how to build a requirements register so operations knows exactly what to log, how fast to notify, and which controls must exist.

Then we get tactical. Learn how to create a regulatory register, assemble audit-ready proof (policies, procedures, configs, logs, training, attestations), and run incident tabletop exercises that include vendors and clarify when the notification clock starts. For industrial environments with rare patch windows, we offer pragmatic steps: maintain a software bill of materials, verify package sources, enforce code signing where possible, document every change, and compensate with monitoring and segmentation when upgrades are risky. By the end, you’ll have a blueprint to translate compliance into resilience—fast enough for 72-hour breach clocks, strong enough to handle delayed threats, and simple enough to sustain.

Subscribe for more CISSP-ready training, share this episode with your security team, and leave a review to help others find the show. What framework are you mapping to today?

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

SPEAKER_00: 0:00

Welcome to the CISP Cyber Training. CISP. Hi, my name is Shown Gerber. I'm your host. I provide the information you need. CISP exam and roll your cyber checker in the light. All right.

SPEAKER_01: 0:25

Good morning, everybody. It's Sean Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is Monday, and we are going to be focused on CISSP training that is going to be specifically for you studying for the CISSP exam. And this is for domain 1.4 of the CISSP exam. And so you can go to your books if you wish and you can follow along, or while you're driving, don't do that. That would be really bad unless you have a Tesla. I guess you could do it then. But other than that, we're going to be getting into 1.4. But before we do, we want to bring up an article that I saw in the news today that actually has me quite concerned. And I think you all might agree with me on this one. But it's quite interesting. Um the great thing about some of these articles is you see what goes on in today's world, uh, it has only be gotten worse and worse. We we'd say I sound like an old man now on this broken record. Well, my people, my day, we had it a lot easier. Uh well, I mean, yeah, I guess a no because we didn't have all this internet stuff. But that being said, this interesting article that I saw uh in the register as it relates to a plant destruction time bomb malware in industrial.net extensions. Now, this was an interesting call in the fact that now we're getting into we knew this was coming. We we knew it, and we've seen little tidbits of it, but there's more and more of it where you're going to have uh basically malware that's pushed out to these systems that will then trigger at a certain time and place in the future. And especially when you're dealing with critical systems and manufacturing environments, this could be extremely bad. Um, and and I'm really sh I say I'm shocked, but I you wouldn't anticipate this would be something that a script kitty would want to go and do unless they just want to try to blow stuff up. This is more of a nation-state thought process in my mind of how you can go and start having this trigger at a certain time and place when you wish for it to occur. So, what actually are we talking about here? Well, the source is that these attackers planted malicious NuGet.net packages in 23 to 24 that include a time bomb logic that are set up to go off at a certain time. Now, this was discovered just recently in the 7th of November in 2025. Now, what does this basically mean? Well, what's a NuGet package? Well, if you're not real familiar with what a NuGet package is, it's a standard packaging format and distribution that is set up within.NET software. So it's it's a package that you would set up and it automatically runs, right? It will have compiled assemblies such as DLLs, it'll have your metadata, it'll have configuration and content files. So it's basically a package that's set up to be pushed to run by itself. And that's what they would call a new get package. Java, Python, all of these have different types of products out there. Like Java will have MPM, Python will be PYPL, and Maven serves for Java. So these are all the different types of packages that are available. Now, this is for its focus specifically on.NET, nothing more than.NET at this point. Nine of those contain malicious payloads. And of that, there was basically 10,000, these were downloaded at least 10,000 times before they were actually removed. So there were 12 packages tied up inside here. Of those 12, nine of those had malicious payloads in them. Now, the packages mostly contain legitimate and useful code, i.e., hide within the in plain sight. I mean, that's one of Sun Tzu's major things around the Art of War, hide in plain sight. So around 99% of them were benign, according to this article in the socket, the ones that went through all of this. But there was a small 20-line malicious payload buried among the thousands of lines of code, obviously, to be able to get through. And that was that was what kind of the purpose of it. These packages were delayed in the fact that they were set to go off on around 8 August of 2027 for the SQL Server and for the SQL SQL Lite, which is around 29th of August 2028. Now it's basically creating a very long fuse in which these are put in place. Now let's kind of talk about where this is going, right? So if we're in the industrial environment, this is one of those situations where these guys will update, they'll put a patch out, which one a dub patch takes a long time to even get put in place. Two, they will put those in place and they sit forever and they're they're there. They don't do update these systems a lot. And I think one of the main reasons they focused on this 2027 date is because they understand and realize, I mean, I'm just making an assumption here, that it takes a long time for this for most industrial complexes to put updates and patches to these systems. So because of that, they will then put them out there and let them sit for a while. That again, in an industrial environment, these will sit inside your network, just sitting there happy for a long period of time before they actually trigger. So this is a very, very scary thing. Uh and depending upon how your organization deals with packages and deals with these different kinds of uploads, uh, it could be uh something that you may not deal with for years. And in most cases, that long of a lead time, the people that actually install them probably won't be with the company anymore after that period of time, right? That just happens. People roll in, people roll out. So this was designed with an immediate and a delayed behavior. So what it was done designed, designed, geez, that basically it included immediately activating the malicious behavior, basically ceasing after the 6th of June, and then a randomized short delay, 30 to 90 minutes, that could rapidly produce crashes and failures in manufacturing. So the point of it is that it would cease after the 6th of June 2028, but it would go in these 30 and 90 minute increments to basically cause massive chaos and things falling apart in a time in a in a manner that would be more or less chaotic or cascading. That's the right word I was looking at. It's more it would be chaotic, but it would be more cascading. Now, these are probability-based uh now some of the detection and response problems are going to run into with this. Because the payloads were published years before activation, the original people that introduced it are probably no longer there with the company, right? We just kind of talked about this a little bit. And the most of these packages, when they're brought in, they were considered air quotes trusted. So it's highly likely that if this were to occur, and I'm sure it's in other people's environment, and I would highly recommend that if you have an industrial or even like healthcare, anything that's got a PLC type of environment, that you go out and look at some of the packages that you've installed. Because of the simple fact that these will sit there and lay dormant for so long, when they actually do trigger, it will cause chaos and pandemonium because most people will not know what to do at all. Uh and they they won't know where this is coming from and why it came from. So, what should you possibly do? So I would consider looking at an incident response checklist that does have these new get packages included in them. And I would actually, if you can, I would go through and see what packages you have updated. If you have not kept track of the different updates that you've done within your organization, um, then well, shame on you, you should. You should obviously through configuration management, which we've talked about in this podcast a few times, you should have a record of what packages have been pushed to those in various environments. I would start looking at some of these packages just to kind of verify that you trusted them where they come from. And then from going forward, I would highly recommend that you continue to keep these in an organized manner and you that you also will document them as well. So any type of activity, you can see that you might very well have a ticking time bomb sitting in your environment and you don't even know it. So if you haven't done it, then start now. Start today creating this configuration management plan and have it uh set up so that you are actually making sure that you have documented resources on each of these changes that are occurring within your industrial base. And I'm gonna point fingers at myself. Did I do this properly when I was a CISO? No, I did not. I just downloaded them, we installed them. So I can highly suspect that you didn't do it because I didn't, right? I didn't do it. I did it for change management for the enterprise, but for my industrial systems, I was not as methodical as I should have been with this. And so this was something that maybe you could look at where there's an area for improvement in this space. Again, these updates don't happen very often within an industrial environment. They do not happen as frequently as you're dealing with your enterprise. But when they do happen, you should have a documented record of what has occurred, where it's occurred, what are the packages involved, and then what kind of testing was done on these packages. So again, it's something to kind of consider. Uh, it's again, it's through the register, it's Cybercrimes Plant, destructive time bomb, malware, and industrial.net extensions. So check it out, go read it. Uh, it's it is it's a really good read. All right, let's get move on to what we're gonna talk about today. But before we do, I gotta put a shout out, a plug for CISSP Cyber Training. Head on over to CISSP Cyber Training and check it out. We've got a lot of great content out there at CISSP Cyber Training to include different podcasts. We have a blog, I have resources with other uh folks that are out there. There's also my entire CISSP training program. I've got tons of free stuff in my resources section. If you go to my resources section, you will see all of that stuff that's available to you. It's all there waiting for you at CISSP Cyber Training. If you want a little bit more hands-on aspects of it, head on over to my various content that I have, and I've got all kinds of information and content packages that are available for you specifically to help you walk you through the CISSP question exam. I got over 50 hours of video. I've got 1,500 plus questions. There's thousands that have gone through my programs, and you I guarantee you you will be extremely excited about seeing this. There's a lot of great content out there and available to you at the CISSP exam, or CISSP cyber training, I should say. Okay, let's get into what we're gonna talk about today. Okay, this is domain one of 1.4 compliance and other requirements. So, what are we gonna get into today? All right, so just a key overview around what we're gonna begin talking about. So, you as a CISSP, you as a cybersecurity professional, must be able to identify what rules apply, translate them into security requirements, and demonstrate that you've done due care and due diligence on these. And then we're gonna get into some various regulations and contractual aspects that you're gonna have to be aware of. So, failure to meet these legal requirements will create organizational risk, fines, loss of license, lawsuits, all kinds of aspects. And then if you are the CIS or the CISO, you have the personal risk of some sectors of having a liability associated with it. So there's a lot of really great stuff that's out there that you need to be aware of. So if you're gonna kind of put this together in a map, this lawslash regulation requires this type of protection, which is proved by this control type evidence. So that's the point, is that you have to translate that this law, this we're gonna get into some of these laws in a minute, is gonna require this type of protection in the fact that maybe you have to have encryption. And how would you then prove that you have encryption? This would be done through a control or evidence factor in which you would provide that. So you're gonna have to prove that this is in place. And the the ultimate point of all of this is that if for you as a CISSP and as a cybersecurity professional, you're gonna have to understand these governance aspects to ensure that you're providing the best protection for your company as well as the best protection for you. Because, like we mentioned, uh you could become liable as well. So let's get into some different items to consider. You have contractual requirements. These are obligations from customers, suppliers, cloud providers, or partners that are set up that you must follow and be maintaining. And these are often much stricter than a law that's in place. And these contractual requirements are set up so that you maintain their service level agreements that they may have in place. There's also legal requirements. You may have national, federal, or state laws that are mandatory that you must follow. HIPAA for privacy, right? You've got GL Gram Leach Bliley Act, you got that for the financial aspects, you got COPA. These are all various laws that you must follow and maintain. If you're in New York, if your business runs out of New York, you'll have NYDFS. These are all things that you must maintain for your organization. Regulatory requirements. These are issued by regulators or supervisory authorities. They're often sector specific, such as I just mentioned NYDFS, NYCCR500, DORA that's in the EU. Those are all various sectors that are specific. I've dealt with the Coast Guard, had specific requirements based on our manufacturing and industrial environment within the Gulf Coast of the United States. So all of these have different types of requirements that are put on you and your company. There's industry industry standards and frameworks. These are not always air quotes laws, but they are widely adopted and sometimes referenced in contracts. ISO 27001, PCDS, PCI DSS, Cybersecurity Framework from NIST, all of these standards and frameworks are required, or not required, they're referred to in many ways in these contracts, saying that you must follow and meet the ISO 27001 plan and so forth. Therefore, that's how it's kind of brought up. You have privacy and data protection rules. These are govern the collection, processing, and storage, and transfer and access of any personal data. So you have privacy and data rules that you must follow, and depending upon the company that you're with or the corporations that you're engaging with, they may have specific privacy and data protection rules that you must follow if you're going to be doing business with them. It's an important part for you as a cybersecurity professional, as you as a CISSP, to make sure that you understand what these are and that you read the documentation associated with it. I've read a lot of contracts and a lot of different agreements between organizations, and it's important for you to then pull out what is relevant for the company to protect you and your business interests. International jurisdictional issues. Data in one country may be subject to another country's laws. And so this is where the extraterritorial reach is coming. So in the case of you, maybe you have a situation where you're in the EU and one of the data in the EU needs to stay there. But can it leave the EU? Well, if it does, then is it still under the jurisdictional aspects of the EU? Potentially it is. So you need to be aware of all of these connections, this connective tissue you need to be conniving conniving, you need to be connecting with. So if you're dealing with privacy versus security, just keep this little point in mind. Security protects data. Privacy governs the rights around the data. So you need to recognize when to involve the legal and compliance teams on any of these aspects that you're doing. It's so important that legal and compliance are involved in pretty much all the decisions you make related to these types of activities. I cannot stress this enough, legal and compliance. And I know if you've been listening to this podcast for any period of time, you know that those two are an important part of any organization. You must be able to produce or support audit evidence, and this kind of talks about our first slide we went over, is the fact that there needs to be some level of evidence if you to prove the controls that you have in place. And these need to be able to be provided to the auditors to ensure that you are actually doing what you say you're doing. So you may say, yes, we have in place, we do a monthly look at all the firewall logs and check all of the access controls on each and every one of them. But if you don't actually do that and you don't have the evidence to support it, such as the meeting minutes where you talk about it, maybe uh a log of every time you go hit the firewalls, then you may not be sufficient for the auditors depending upon which organization you are with. So contractual requirements, some different sources to consider. The master service agreements are which is your MSAs, you have your service or your service level agreements, which is your SLAs, and you have your DPAs, which is your data processing agreements, your BAAs, which is your business associate agreements, this is specifically under HIPAA, you have a cloud agreement, supply chain and security addendums, etc. etc. So all of these are different types of agreements you may be subject to or be interested in viewing. So what they typically require. Well, they typically will require some minimum security control that you have in place, such as encryption, logging, access controls, maybe incident response time, how fast you respond to a situation. And they also may have a notification timeline for breaches. So you notify within 24 to 48 hours, often much faster than what the actual law states. You you're you're gonna have to be quick on this. Now I will say when it's 24 to 48 hours, you need to really define what notification of a breach mean. When is that? It's an important part you need to work out with your legal team. And we've talked about this on this prop podcast in this training for quite some time. That just because you have an incident that's in your environment does not necessarily mean it's a air quotes breach. You have the right to audit and the security assessment. They may want to come in and take a security assessment of you or do an audit of you. They need to also know where their data location and data ownership clauses are at as it relates to the data that they provide to you. But you on the flip side, if you're providing your data to them, you need to have some way in which you're providing that information to them as well. So they need to be a subprocessor or third-party approval, and all of that can be typically required by these various third-party organizations. Now, some considerations for you to consider is that contractual obligations can be stricter than law and must be implemented and monitored. And it's very important for that. Because again, depending on the contract you have, you might be legally liable to that, and they will take you to court, and then it gets to be really, really expensive. Plus, on top of that, then the legal laws will probably start wanting to dig in and then they'll want to spend more time with you, which will cause you more legal expense and it'll get more and more expensive. Noncompliance, this is a breach of contract. This is related to damages and loss of a customer. This you don't want to have non-compliance, obviously. You want to make sure that you are there in your contract and you are following through as you are expecting. You must track these requirements in a requirements register so that operations and the security operations teams know what to log and what to report. So you like a risk register, you will have, you want to have if there's tied to your requirements that you have within your company, you may want to put that in your risk register as well because it's considered as a risk to you and your organization. So again, these are high considerations you need to be aware of. Contractual obligations can be stricter than law. Noncompliance can be breach of contract, and you must track these and keep these in a place so that your security operations teams and your security professionals know what to log and what to report. Now, legal requirement, regulatory, industrial standards, these are some core concepts for you to kind of consider. Due care versus due diligence. Now we've mentioned this in the CISSP training a few times. Due diligence is when you're investigating, assessing risk, or selecting proper controls. That's when you're taking the time to look into all of these aspects. Due care is when you're actually implementing and operating those controls. That's when you're taking the time and effort to make sure that those controls that are in place are the ones that are specifically set up for you. The regulators will look at both of those. So they'll make sure that you did the diligence, but then then they're gonna come around real quick and make sure that you have implemented the controls as expected. You have evidence of compliance. This is where you're gonna deal with policies and procedures. You're gonna make sure that you have those in place. I'm actually doing this right now for our contract, uh, making the policies. We got the policies in place. I'm now working on procedures specifically for that organization. You're gonna have training records for that your people have been trained on what's actually going on. You have technical configurations such as screenshots and exports, and then you'll have logs and audit trails associated with it as well. And then you'll have third-party attestations such as your SOC 2 compliance or PCI ROC or various ISO certs. And the point of those is that as you you want to go in many organizations, they'll want to migrate to that third-party attestation. Um, and that's where you have all the policies and procedures in place, you have your training records in place, you have a person designed to specifically do that, they're they're all the logs are getting kept, they're all being passed on to a security operations center, and then these third parties will come in and assess you and make sure that you actually are doing what you say you're doing. The extraterritorial, this is where some applies because of where your data subject is. So, for example, GDPR or COPA, it's where you offer services, not because of where your services are. Uh, that it's a good example of that with a GDPR, is if you're offering services that are in the EU, you're gonna have your data will reside within the EU. And so you just keep that in mind. Um, that's just various pieces that you must be aware of and you must be okay with. Data retention and e-discovery, some laws require keeping data for a defined period, others require deleting it after a period of time. You must know the legal holds and override the normal deletion cycles. You must understand that. You must know that when you're putting something on a legal hold, that will not delete, you must not let it get deleted. Uh, therefore, as a security professional, it's going to be up to you. If you are the main person, when someone says, hey, I'm putting everything the legal guy because it says we're putting it all on legal hold. Okay, cool. But your deletion policy states that after one year all the data is deleted. You may have to be the person to go, whoa, whoa, whoa. Yeah, anything but legal hold. So put that in a separate place within your company so that it is not deleted. Uh, that's some training that you can come up with that can actually be very helpful for an organization. So, some key privacy and sector laws that you should be aware of. You obviously HIPAA. So, we're gonna go through a bunch of laundry lists of these and some key points in each of them. HIPAA is your health insurance portability and accountability act. Uh, this applies to covered entities and their providers and the plans and also the business business associates that go along with it. You have a security rule, which is administrative, physical, technical. You have a privacy rule, which governs PHI use and disclosure. So you need to get connected to that. You can see these slides at CISSP Cyber Training. They're all going to be there and available for you. You'll also be able to see it on the blog. Uh, there's breach notification rule. This is where you have timelines, content, and sometimes media and your health and human services notices. And you should be aware of all of this. As far as that, you need to understand how do you protect PHI. And this could be through access controls, encryption, audit logs, all of that must be in place to ensure that you're meeting the HIPAA guidelines. You have GLBA, which is your Graham Leach Blyley Act. This is for U.S. financial institutions. And it applies to financial institutions and some non-bank financial services. Now there's a safeguards rule. This is where you develop and implement and maintain written information security program. And we talk about this a lot. If you're following any of these other frameworks, you're going to have an information security program already well defined. There's then a privacy rule, which is notices to consumers, opt-outs in some cases, and you need to focus on risk assessments, vendor management, encryption, monitoring, change management, and the training that goes along with it. That's what the GLBA focuses on. Again, financial institutions and non and some non-bank financial services. COPA, this is your Children's Online Privacy Protection Act. This applies to any online services directed to children under the age of 13 that are knowingly, air quotes, collecting data from them. So now in the CIS's peace cyber training, do I have to follow COPA? Well, I'm not actively going after anybody under the age of 13 unless you're really smart and you've been doing this since you were like five. So that I'm not the kind of person that would go after would be really necessarily targeted against COPA. However, Bluey and all those other types of products out there for children that may be trying to regulate, you know, go after the parents, go after the kids, they definitely fall under the COPA issues, right? So verifiable parental consent, clear notices, and data minimization, all of that pieces need to be maintained. So data classification, child versus non-child data, consent tracking, limited sharing, secure storage, all of those pieces fall under the COPA Privacy or Protection Act. FERPA, Family Educational Rights and Privacy Act. So this applies to educational institutions receiving US of Department education funds. Now this is an education records, rights and parents of students. So basically, when it comes down to is anything that deals your education, the rights of the parents and the students, any const communications back and forth, that falls under FERPA. So again, access controls, disclosure logging, directory information, PII. Again, you'll see there's a lot of consistencies between all of these. But you need to main understand for the CISSP exam, the understanding of what is a FERPA, what is COPA, what is the Patriot Act? That's the next one. How does it work? So the Patriot Act was designed specifically around surveillance and disclosure authority. It enables the government to request certain data from national security and investigations. And you need to understand what is, and I don't actually even know at this point. I think the Patriot's been renewed a couple times. I don't know if it's actually been renewed as of late, uh, but I will tell you that you they will potentially ask you questions on the CISSP because it's based in 2024 and it was still a factor in 2024. So it's it's highly, I should say it's highly likely, it is possible that they may ask you specifically around the Patriot Act and its use within your organization. NYDFS, this is a cybersecurity relation that was brought up by the New York Department of Financial Services. I had to deal with this a few times with a different companies. And this is basically you must have a cybersecurity program, you must have a CISO, you must have risk assessments, multi-factor, audit trails, 72-hour incident nota reporting, all those fun things. You must have that in place for you to be operating as an organization within the New York, um, the state of New York, and that anything anything that deals in the financial services aspects. So this is a prescriptive rule, and you must show the controls actually exist and are tested. They do not allow you to say, oh, you fill out the form. Okay, you're good, no problem. You will actually have to show that these things are in place and then auditors will come in and look at you. DORA is the Digital Operational Resilience Act. This is for the EU and their financial sector aspects. Uh the EU financial entities and critical third parties, this is folks that are in DORA. This you are focused on resilience, risk management, incident reporting, testing, third-party risk as well. Again, I'm talking about these, but if you consider most all of these areas, they deal with all these aspects. Resilience, risk management, you name it. Uh, we have additional state privacy laws. Obviously, you have CCPA, CPRA, you have Virginia, you have Colorado, all these different states have their own types of um things. You know, some consumer rights, you have uh privacy for dead threatened country states that you're working in. I would say one thing to consider as a security professional, if you are gonna be focused on the rights or privacy rights within your company, focus on the most restrictive ones. So California, Maine, Massachusetts. Those are some of the more restrictive privacy rules. If you focus on what they require, and then you put that same requirement into your company, you're in a good position that you're gonna be relatively safe from any sort of uh potential issues. So just kind of keep that in your back pocket. Some additional acts or uh aspects that you need to be aware of. Socks, Sarbanes Oxley. This is for public companies, and this is basically integrity of financial reporting, requires that internal controls over financial systems. Again, same kind of concept. You make sure you have the controls in place. Their change, their focus is change management, access controls, logging, and segregation of duties. FISMA, FedRAMP, this is the federal aspects of it. FISMA is a federal systems, must use NIST or RMF. That's a risk management framework, uh, categorized under FIPS 199. FedRAMP is focused on cloud services for U.S. government and must meet 853 baselines, your cybersecurity framework aspects, and they must be authorized. Again, control baselines, continuous monitoring, and various aspects need to be considered when you're dealing with FISMA and FedRAMP. CFAA, this is your computer crimes laws. This is unauthorized access, exceeding authorized access and fraud. Your focus on this should be administrative and security tools and where it's used lawfully, and then it'll define your overall acceptable use. So wiretap laws, you need to be aware that there are wiretap laws in place, especially in the United States, and that depending upon the state in which you reside, but in the United States, just one person has to be able to say consent to recording. So in the case of you're talking to somebody on the phone and you say, Well, I consent, I'm not telling that person I consent, but I consent, you can actually record the conversation of what's going on. So you need to be aware of that wiretap laws still exist and are they're a bit dated and they're not keeping up with the times, but they are out there and they're on the books. Industry stand industrial industrial industry, I can't even say industry standards, my goodness almighty. Uh so these are quasi regulatory. What I mean by that is that you will people will talk about them, but they don't typically say they're they're required. PCI DSS, again, this is contractual but enforced like regulations by the card brands and acquires. So your visa and all the MasterCards and all those, they will require you to meet their air quotes guidance. But it is not regulatory. But if you want to work with them, you got to follow it. And if you don't follow it, you don't work with them, which basically is pretty regulatory standpoint. This is where it's network segmentation, secure coding, vulnerability management, all of those pieces are a big part of PCI DSS. ISO 270001 and 2. This is a management systems approach, often requires in contracts or by global customers. It's a risk-based selection of controls and it's designed with uh separation of duties and internal audits. And then your NIST CSF, your cybersecurity frameworks, and the 800 series that are in that. This is often referenced by U.S. regulators, NYDFS, SEC as well, and it may become as the expected baseline. It might be something that you have to follow, whether or not you actually are following it at your company. So you might be following an ISO standard. Say, for example, you're doing ISO 27001, but the US government or NYDFS is requiring you to do uh one of the 853 series, you're gonna have to map from ISO 27001 to the NIST 853. So again, you'll have to just do some mapping back and forth. There's legal requirements. Uh the NIST obviously identify, protect, detect, respond, and recover. Those are the key functions around NIST. If you look at a lot of the different frameworks, they have a very similar kind of flavor to them. Uh, they may not be quite the same, but they're pretty close. So again, keep that in mind. You're gonna have to follow a lot of those. You may have to deal with them more. They may become more of a regulatory requirement, even though they are not a requirement under any sort of regulation out there. They just may be highly suggested that you do them. So, how to translate these into security requirements? So, identify the data plus the system and scope. So, keep this in mind. So, we're just gonna walk through these are some little things for you to kind of consider. PHI, this is a HIPAA standard. Customer MPI, this is a GLB standard. Cardholder data is PCI DSS. Student records would be FERPA. EU personal data would be GDPR or DORA if it's financial. So the point of it is that keep in mind PHI, if you hear that, it's HIPAA. Customer MPI, that would be GLBA. Cardholder data, PCI. Student records, FERPA. EU, GDPR, DORA. Those are some things necessary if you're trying to figure out map between the two. Now, obligations to controls, mapping these, connecting these two. Access controls, RBAC, MFA, NYDFS, HIPAA, GLBA, PCI. So again, they want access controls. Logging and auditor trails, NYDFS, SOX, and PACI. Again, you can see these are all kind of stacking on each other. Incident breach notification, HIPAA, NYDFS, GDPR, and various contracts. And again, the timeline will be 72 hours for the big ones, NYDFS and GDPR, and then it's potentially up to as short as 24 hours, depending on the situation with your contracts. Third party management, you got GOBA, DORA, NYDFS, HIPAA. So all of those are third party aspects. And then training awareness, you have almost all frameworks deal with training and awareness of some form or another. So obligations, so kind of map this in your head, which ones they are. Access controls, logging and monitoring, incident breach notification, third party management, all of those you should be able to map to which is the appropriate act that might be involved. Document and policy and standards. So you now can show the auditors we know what applies and where and how to meet it. This is where you document this. You want to make sure that you show them that these auditors you understand all of these aspects. And then you need to maintain a regulatory register. So some sort of register saying, hey, law X, this is how it's mapped to the various controls that I have in place. Law Y, this is how it's mapped to the various controls I have in place. Now, if you do this well and you have already kind of put a good program in place, it's super easy because there's plenty of programs out there that will help you map this to it. So pick a framework. Whether it's ISO 27001 or it's the NIST Cybersecurity Framework or something else, pick one specific framework and follow it. You then can map, you can once this is all done, you can then map back to what are the controls you have in place to meet these various audit requirements. So again, it's an important part. Pick one and follow one. Okay. I hope I made that crystal clear. So what for you should you watch out for as a security professional? One, if the the conflicting requirements. One law will say retain, the other will say delete. This is where you need to bring it up to legal and have them help define the precedence around this. Once you guys define what that is for you and your organization, you say, okay, we are going to retain. Period. Dot. It says delete, but we're retaining, and this is the arguments of why we see this way. Now, if a regulator comes in and says, Well, that's wrong, at least you've had legal counsel, you've talked about it, you've thought about it, you've planned it. This is why you've done versus you just going, eh, we're just going to keep it. You can't do that. You got to bring other people into this conversation. Data localization and cross-border transfers. Some regimes and some areas like the EU and APAC, they do limit data transfers between these. And this will affect your overall cloud strategy. And you need to be aware of how you're planning on doing that. Your breach definitions will differ. HIPAA versus state privacy versus contract. Always design incident response to meet the most stringent, like we talked about just a little bit earlier. If you focus on the California, Maine, Massachusetts areas, you are in a much better position than if you focus on, I'm gonna say Kansas, because Kansas probably isn't nearly as strict as some of those. Third party and supply chain, Dora, NYDFS, these all emphasis on third party risks. You must include vendors in your risk assessments and in your incident response testing. So you need to keep those in mind as well. So these are all important parts as we're dealing around the contractual aspects and the governmental aspects of the CISSP and of your cybersecurity program within your company. So again, keep those pieces in mind related to all of that. All right, that's all I have for you today. Hope you got a lot out of this great information. Head on over to CISSP Cyber Training and catch out what we've got. Got a lot of great free content, but check out my paid products. They are there and available for you. If you need a step-by-step concierge approach to studying for the CISSP, it's the one thing I struggled with was the fact that I didn't have anybody to teach me and train me on what I needed to know for the CISSP. That is what the CISSP Cyber Training is there for. It's to help walk you through it step by step by step. Those paid programs are there with the blueprints, with the calls, with the conversations with myself, with all of those pieces are all available to you and they're all in a paid format that allows you to get ready for the CISSP in a way that'll help you pass it the first time. All right, thank you so much, and we will catch you all on the flip side. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.

Shon Gerber

Host