CCT 298: Determining Data Controls - CISSP

Show Notes

Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv

A graphing calculator running ChatGPT might make headlines, but our real job is keeping sensitive data from walking out the door. We break down the data states that matter most—at rest, in transit, and in use—and show how to pair encryption, access control, and monitoring without drowning in complexity. Along the way, we share a pragmatic blueprint for classification and labeling that teams actually follow, from visual tags and watermarks to tightly governed upgrade and downgrade paths that keep owners accountable.

From there, we zoom out to strategy. Risk tolerance drives control selection, so we talk through scoping and tailoring: how to apply NIST and ISO 27001 sensibly, where GDPR and HIPAA come into play, and why focused logging beats “collect everything” fantasies. You’ll hear the real differences between DRM and DLP—licensing and usage enforcement versus data path control—and when each tool earns its keep. We also lay out transfer procedures that work in the wild: SFTP with verified keys, email encryption, FIPS‑validated USBs, and restricted cloud shares with time‑boxed access.

Cloud isn’t a blind spot when a CASB sits between your users and SaaS. We explain how a CASB delivers visibility into shadow IT, enforces policy across apps, integrates with identity for conditional access, and even helps you rein in egress costs. Tie it all together and you get a layered, test‑ready approach that helps you pass the CISSP while protecting what matters most. If this helped sharpen your plan, follow the show, share it with a teammate, and leave a quick review so we can keep building tools that move you forward.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

Chapters

• 0:00: Welcome And Episode Focus
• 0:56: TI-84 ChatGPT Hack And Ethics
• 4:34: Show Updates And Resources
• 4:34: Determining Data Security Controls
• 5:30: Data States Explained
• 10:59: Encryption Keys And Emerging Methods
• 15:10: DLP And Data Exfiltration Risks
• 17:59: Data Classification And Labeling
• 24:26: Governance For Sensitivity Changes
• 26:06: Scoping And Tailoring Controls
• 31:25: Standards And Risk Tolerance
• 36:20: DRM Concepts And Reality

Transcript

SPEAKER_00: 0:00

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber. I'm your host for this action-packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started.

SPEAKER_01: 0:25

Good morning, everybody. This is Sean Gerber with CISSP Cyber Training, and hope you all are having a beautifully blessed day wherever you're at today. Today is going to be about domain two. And specifically, we're going to get into section six or domain 2.6 as it relates to data security controls. And so we're going to be rolling into how do you protect your data from data states to DRM to DLP and so forth. And this is the part around 2.6. And if you have the ISC Square book, it'll kind of match to that. But before we do, we're going to get just, I wanted to real quickly talk about an article that I saw that was very for the geeks at heart. This was an interesting article out there that uh if any of you all have ever had to take a test where you had a computer, or not a computer, but a calculator with you, there is a hack out there. It was a T84 hack that occurred that allowed you to add ChatGPT to the device. So it's an engineering calculator, and this engineering calculator would typically doesn't have this functionality, but an individual decided to, you know what, I want to try to figure this out so that when I'm taking my tests, I can use Chat GPT versus having to uh figure it out on their own. So as a professor when I was teaching, or an adjunct professor, I should say, one of the things that came up, this was right when ChatGPT came out, my students came up to me and said, Well, hey, can we use uh ChatGPT to help us pass the CI or pass the not the CISSP, but past the course? And I told them, I said, the point comes right down to, and they're very blunt, and I even come out and said, if you're gonna use it, that's fine. You can use it for the exam. But you also have to understand that if I do get any notification, I feel like you are actually using it and your answers aren't from you, uh, I will call you in and then you're gonna talk about your uh your actual test and you're gonna talk about what answer you gave, why you gave it, what was the purpose behind it. So it actually limited somebody from doing that, or they may have just, you know what, decided to uh maybe modify ChatGPT a little bit to give them what they wanted. But at the end of the day, the interesting part is this guy had a graphing calculator and he decided to use his uh Chat GPT to using the get and put functions that are on the device itself, and then was able to make a cut, and again, he made some changes to this device so that it wasn't like this out of the box. Uh, but it was designed to be able to do that, and so he actually went out and he put in a Wi-Fi-enabled microcontroller, uh, which cost about five bucks, and then he also had some other components that he was able to put inside this TI-32 to make it so that it was compatible with connecting to the internet. And it was interesting how he got this to work. So I put the link, you'll have to be able to see this link. It's called it's from Ars Technica Secret Calculator Hack brings Chat GPT to T84. Uh, he did mention that during this time he had some voltage issues that when he was putting it together, and it didn't work real easily. He had to go out and make a lot of changes. So, I from a professor standpoint, from a college standpoint, I'd say good on you, man. That right there is a way to use something, and you actually learn something different than what you were trying to accomplish. But the other on this interesting side of that is yeah, you're you're now these professors are gonna have to start thinking outside the box. Uh the the old ways of just, hey, I've and I've got a son that is in education, and he they have tests, and their tests have been created, and and they just no offense to him, they regurgitate these tests over and over again when a new batch of students come in. Well, teachers are gonna have to get outside the box a little bit because this is just gonna continue to get more and more pervasive. Uh because people are gonna try it. They're they're smart, they're very, very smart, and they're gonna try to do these different types of things. So something to consider, just I would take a look at it, and it's on Rs Technica, and it is a T84, and it is for cheating on tests. So, yes, uh, you can all can try it and see if that's something you want to do. I wouldn't recommend cheating on tests, but hey, that's that's up to you. Okay, so today we're gonna be getting into 2.6, and 2.6 is around data states and determining data security controls. Now, all this information, like I said before, is available to you on CISSP Cyber Training. You can head there and get access to all this information. Uh, it's available to you. Uh, my this video will be posted on the website, so you'll have access to the video there. Uh, you can listen to the podcast, obviously, wherever you get your podcasts at, as well as on YouTube. We've been having a real lot of success with this podcast. The podcast is getting good reviews, it's getting good downloads, and so obviously, you all are enjoying it. So that's positive. Uh, I've got a lot of different feedback from people on there through email that they've been passing the CISSP, which is awesomeness. So we're excited about that. Well, so today is the determining of data security controls. Now, we're gonna get into a couple different parts around data security controls, and this will get into data states as the first topic. Now, a data state, and we've talked about this you as we talked through CISSP uh training and the different types of stuff that you need for to be successful to pass a test, but also to be successful as a security professional within your space. One of the things that came up was around, we've talked about is data states data at rest, data at transit, data and use. Those are the three types of data states. Data at rest, this stores the data in a physical media, such as a hard drive, a tape, cloud storage, anything like that is what the data is at rest. Now, encryption on data at rest top will help protect this from access to unauthorized people. Now, we talk about encryption. Encryption is a very slippery slope. You have to have the ability to have keys for your encryption. If you're going to have encryption in the cloud or you're gonna have encryption on premises, you have to have a way to manage these keys so that you can get the data out that is encrypted, unencrypted, and be able to use it. There's different types of encryption that have been out there, and I've seen some of these in the uh investment space where that's homomorphic encryption, where basically the data is always in an encrypted state. So when data is encrypted at rest, right, it's not usable. So you have to, to get it out, you have to decrypt it to get the information out. There's different companies out there trying homomorphic encryption that will basically allow the encryption to be enabled at any point in time during the transition periods. So data at rest, data transit, data use, it is all encrypted. When you're the only time it's not encrypted is actually when you view it on some sort of device to be able to actually view the data itself, if that's what your need is. Or if you are manipulating it, such as through an Excel document or so forth. The thing is with the homomorphic encryption is it's still in the beta phases. Uh, there's companies trying to make this work, but it it works in certain situations. In others, it doesn't work as well. So it'll be interesting to see where this goes in the future. But again, data at rest, this is where you have to have different access controls in place to help restrict who can access this data. You also need to have in place a DLP product to prevent unauthorized data exfiltration. And we've talked about data exfiltration, it can be a big challenge with companies because of the fact that you they don't, there's so many ways out of your organization that it's not easy to protect it. And so, therefore, you need to have some sort of DLP in place to be able to help you with that. Data in transit. Now, data in transmit is when data is transmitted over networks. So, this could be over wireless networks, it could be LAN networks, any type of network is when the data is in motion. Obviously, encryption will help this. This helps from when you have point-to-point level encryption. So if you have a computer going talking to another computer from point A to point B, then that's when the data will be protected and encrypted. Uh, VPNs can also help create this secure tunnel that will help for data transmissions. And we've talked about different types of VPNs uh in CISSP cyber training. So the point comes into though is this is what helps when you're trying to transmit data between two locations. Another type is TLS and SSL encryption. This is where are various, these are secure protocols that are used a lot for different types of communication, but mainly for web communication. But you can use TLS in various different pieces. Now, the most current version is TLS 1.3, uh, and therefore, if you use earlier versions, you need to make sure that they have not been deprecated and are still a valuable use. Data in use. This is where data is actively being processed. Access controls will help restrict that, right? Who has access to the data? Data masking, this is another part where the data is coming in. You have your, let's say, for example, social security numbers, those are masked, maybe the first, however many, six digits, or you just leave the last four digits are available. That's a masking technique. There's various applications that will do this. I've personally worked with uh Salesforce to make that happen, but there's various other applications that will have that capability built into it. Most ERP type solutions, which is your enterprise resource planning uh products, applications such as SAP, there's many other ones out there. Salesforce is another one, they will have data masking enabled. Privilege user management, this is where it will control access for users with elevated privileges. Maybe this, when you have elevated privileges, you are not able to gain access to certain levels of data. Or the vice versa. If you don't have access to these elevated privileges, you don't have access to much of anything. So the bottom line is when you have your data that's in use, this is data that's actively being processed as it relates to a data state. Now, the ultimate goal is again protecting the confidentiality of this data, and this is through the use of strong encryption and access controls, which we've kind of already recommended and mentioned. There's we talked about the examples that are available, and one of the things like a data encryption example could be you have your data in your database, and that database tables are encrypted as well. So again, I talk about, but you know, kind of what the interesting part about data at rest is it really truly never is at rest, except for when it's powered off and it's disconnected from the network. Data in many cases is being tagged and pulled on on a new numerous basis. It doesn't mean that it's not idle, but most of the time when data is at rest, they're meaning data in the storage of some kind. Data in transit, we've talked about through HTTPS encryption, and then data in use through web applications and the various aspects around that. So when you're dealing with data states, you need to consider the sensitive information and you need to have a plan. One of the things that I've seen so often when I've talked to different companies, when I've been to companies myself, they the data they don't really have a good plan because they don't have a good data owner that really understands what is going on with the information that's there. And so you need to have a plan around labels. One of the aspects is that how do you label this specific data? A data classification scheme is a really good thing to have. If you don't have one in place right now, it will go a long way in helping you to be able to protect the information that's on your network. And I would recommend that if you don't have one, start small. Get a small subset of data that you know that is this is what its state is. This is the this is the classification it should be. And then from there expand your way out. Now, you can either do this manually by yourself, or you can bring in a third party that can help you with your data classification plans. Now, there's various third parties out there that help you with this. The ultimate goal is that they want to have the ability so that when you can flip on a switch, your data within your environment starts to become classified in a format that is best for your organization. So again, you really need to have that. And then you need to document and manage the plan. I document how you're going to do it and then manage the overall plan. Now we've talked about various labels that you can use. Obviously, there's physical labels, there's also uh digital labels. But from a physical standpoint, let's just think about what are some different labels you can use within your organization. You have unclassified, you have secret, you have top secret, you have confidential. Those are some basic Air Force type uh labels that we used, but there's multiple other types of labels that you can use within your organization. These labels could be private, they could be general, they could be sensitive, they could be pretty much anything you want to label them as, but there's different types of you need to come up with a different type of labeling schema for your company and your organization. Now, the physical labels, one of the aspects around this is you could put them on drives themselves. So, like say you have a hard drive and you will put this label saying this is a classified hard drive or this is a business sensitive hard drive. You also would want to recommend doing some level of color coding with it that would include the name. The reason I say that is because people are visual people and they they will read it, but if you automatically notice, say, for instance, your classified, your secret is red, and your uh free for financial use is yellow or whatever you want to call it. And then what ends up happening is you're going through these different devices and you see these labels. Well, those are all red, so those are all this classification. Those are all yellow, these are all those classifications. So those are an important part of when you're looking at creating some level of data classification, especially from a physical standpoint. Watermarks on the data is really important. Do you put it like an unclassified label? Do you have it in the footer or the header? Another piece of aspect that you might want to consider. You see this a lot within lawyers. Uh they will put this type of label on many of the documentation that they use. So it's again, it's very simple. You see it, it's in your face. You have a hard time being able to walk through saying, hey, I didn't know. But you do want to stick with a standard nomenclature. What I mean by that is just make sure that whatever terminology you come up with for your organization, it stays standard and consistent throughout your organization. And then you need to document these procedures from an upgrading, downgrading sensitivity, transferring sensitive data files, and then even destroying the sensitive data. How do you do that? Do you have a process to do that? So there that you really need to define this, especially if you're getting this level of classification. And it could be as simple as so upgrading and downgrading. Had a situation where there was many, uh we we broke it into about four buckets. And of these four buckets, the two were the most highest sensitivity to the company. You could you, as an individual, could not go in and downgrade a document and put it on whatever you wanted. The same went for upgrading. You as an individual could not do that. There were certain people within the organization that could do it, but you as an individual could not. So it's important to have those individuals tied within your company so that they know who they are, so that they're not trying to and that this avoids then have one, having the rights to do it, but two, if something does go sideways and something was changed, you now know who to go talk to because only those certain people should be allowed to do it. Now, scoping and tailoring. Now, this is scoping sets the baseline for the various security controls within your organization. And you want to set only the controls that apply to your area of operation. In this case, it would be IT, right? So if you were, but you can help the different parts of the organization, especially with IT-related functions, scoping the security controls for their organization. As an example, if you're dealing with finance, you can help them scope what is best for them. If you all haven't figured out yet, many of these organizations don't have IT people that can help them understand all these different security controls. So you, as a security leader within your organization, it would really behoove you. One, it gives you a lot of street cred. Two, your job is to influence. Well, how better to influence people than by helping them reach their goals and their desires? And so, therefore, by you helping the finance department or the HR department or operations understand all these things, you have now helped elevate yourself into a position where you are influential and you can provide more value to the company. You also need to tailor this based on the, and well, come back to the IT as an example. So when you're setting up controls for specifically for IT, your system would only allow potentially one RDP session. You need more controls around remote access. All of those different types of scoping pieces you would come into play. What systems are you going to monitor? Are you only going to monitor just all of them, or are you going to monitor all of them, or are you going to monitor only just a small subset? Again, that's the scoping piece of this. Tailoring. So when you're dealing with tailoring, you need to list the controls that align with the baseline of the organization. What is the risk tolerance for the organization? I was talking to a gentleman the other day about risk within their organization. And certain people do not understand the risk concept. They try to protect everything. Well, unfortunately, when you try to protect everything, you're going to protect almost nothing because you're not going to do any of them right. And the better part is that you want to focus on protecting the most crucial, the most critical to your organization that are the highest risk to your company. That is where you want to focus on. And so that's what the tailoring comes into play. So you understand the risk tolerance for your company, that will go a long way with helping you understand what to best protect. If you can take anything from all this stuff that we're talking about with the CISP and you're talking from a leadership standpoint, risk tolerance is key. And if you don't know the risk for your company, find out somebody who does. And if you talk like that, the risk tolerance for your organization, if you talk like that to your leadership and to your senior leadership, you're going to win street creds with them because the fact is that they live their entire life based on risk. And you have to understand if you're a protector of the data, you got to understand what is their level of risk. How much are they willing to risk for the organization? Some of your senior leaders, their risk tolerance is extremely low. They will not take much risk at all. But then that's good because then you can focus on how to product how to protect your company without taking on a lot of risk. But that would also mean that you need to focus on doing the basics, on the basics, the foundations, the fundamentals that will take you to where you need to go if you have a low tolerance for risk. Another example about this is that when we talk about risk polar risk tolerance for an organization, it's the minimum security standards. Locations of are using the NIST 800 series to help you with this. So again, you need to understand what the organization needs, and then you can tailor your protection plans around what the organization actually needs and wants. Setting standards, there's a base uh on internal or external needs for your organization. So GDPR, China Cyber Law, PCIDSS, they all have standards, but not all standards apply to each and every one. So, as an example, the China Cyber Law, that is a very big thing within China, it does not apply within the United States, obviously, right? So they don't always apply. That being said, the the standards around security are pretty much the same, whether you're in the United States or whether you're in China. The point, though, is how they implement those different types of standards is really the differences. So if you're with a company and your company says that I want to have security controls in place that is monitoring individuals as they come and go from the building, great. That's all. That's all I want to do. But then you have another part of the world that says, I want to monitor everybody who comes and goes in and out of the building. I want to know who they are, and I want to know their party affiliation. That's a different style. So you you have very contradictory areas. Parts of the world are very draconian in what they want to protect their people. Other parts of the world are not as draconian, and then there's a lot in the middle. So it comes right down to is setting the standards is really important. And using defined standards is even more useful if it if if even not required. You really need to come up with those standards and you need to define them. And it's for your own good and it's for your employees' good because it's really hard to fly a plane when you're blind. And so if they don't know what the standards are for their organization, it's easy for them to make mistakes. It's also easy for them to then when they do potentially make mistakes that are intentional to get out of any sort of actions against them because you didn't have a standard. And so how would I know? So again, having that information is really important. So organizational standards are an important factor. You can focus on HIPAA, GDPR, NIST, ISO 27001, all of those have different types of frameworks. If you follow some of them depending on your business model, they will help you and guide you in the direction you need to go. And then you need to focus on best practices and staying updated on emergency threats and the vulnerabilities that are associated with them. Now, digital rights management. What are DRM? DRM, what are? That was really good English. Holy cow. Wow, my wife tells me this all the time. You don't speak good. I'm like, that's what happens when you get old. I'm getting senile. Uh, digital rights management. This attempts to provide copyright protection for different types of data files. It's the goal is to print up, prevent unauthorized use, modification, and distribution of copyrighted data, obviously, right? So this happened in the long days. They used to have CDs back when CDs were something around. The Sony would, that was kind of the big case around this. They actually put in some level of uh malicious, that wasn't malicious, but it was a software that did the tracking and it was tied to their DRM. Now the DRM, it's a the license will grant access to a product and determines its its use. So a lot of times you'll get keys, right? So if you want to use a product, there are there are keys that you must have that unlock the licensing around it. That's part of the DRM. Uh and many times this could be a very small key file with an encryption key. It could just be you know, really just a bunch of letters that it then calls home to the mothership and will confirm it. You actually have the right license. Um, I have used like an actual hard key fob to be used as a decryption key as well. So it it really depends upon how you're going to use the software, but most software has some level of DRM built into it. Now that does have a persistent online authentication. I'll use an example of this. This is Microsoft. So in the old days, you could have not that I did this, but you could actually have multiple bootleg copies of Microsoft Office, right? And you it was really hard for Microsoft to understand what that was. You could get a key, you had key generators, you could put in fake keys, you could do all kinds of stuff, and it would all work. I speak from friends telling me this type of stuff. The point then is then Microsoft, smart as they always are, they had some level of persistent online authentication in place. And then then once the system is on, it's tied to usernames. It's also watching if it's on. It can then understand do you have the licensing for this product? That was a huge deal. So now you're in a situation where instead of having so many, and that I know those bootleg CDs are still out there in many places, obviously, but they as they've moved to Office 365, they're now in a situation where the data is always available to you. So now you have to pay the subscription. But it's it's good, it's a win for the consumer because the prices for the Office 365 are lower uh than they were when you have to buy the entire package. So it it's still the same amount when it's all said and done, but now you're paying it out over a monthly period. But again, it does require DM product to be connected to the internet, and periodically this will connect with a licensed server to ensure that it's got activity. Now I've put in systems within Sython organization, and I had to actually build a licensed server specifically for uh the licensing of that application. And then that server itself would then communicate back to the mothership. So it just depends on the type of environment you have to connect to. So when you're dealing with digital rights management, the ultimate goal is to prevent unauthorized copying, this unauthorized duplication or distribution of the content. And it they may even have enforcing usage restrictions, which would limit the number of devices or and or users that can access the content. Good example is Netflix. Uh Netflix keeps popping up. Hey, if you want to share your Netflix account with your family, you can do that now for an extra fee. But they know through geolocation where you're using it. So if you're using it at home and then all of a sudden it gets used in Mumbai, you're going, wait a minute. So they may ask questions around that, right? Uh I do know they allow some of that activity, but again, they they do enforce usage restrictions around limiting the number of devices and users. Disney Plus is another one. A lot of these they do that. They implement levels of DRM technology to help protect their digital content as well. So if you buy CDs from Walmart or some other location, there is DRM technology built into those DVDs so that you can't just go out and copy them. Uh again, that technology is designed specifically to protect their rights, and it should, because you know what? That if you if you're copying them, more or less you just you can break it out however you want, it's theft. And so you therefore they have to put these protections in place to protect their intellectual property. Now, digital rights management. This is the key points with DRM. This is a continuous audit trail, so it does track the use of the copyright product, uh, it especially if it's connecting to the mothership. If it doesn't connect to the mothership, obviously it's pretty hard to do that. But today, most things with streaming, it knows where you're using it, when you're using it. It can detect abuse. Uh, I will say that I've known some individuals that tried to use the uh movies that had been hacked and were put onto their servers. And as an example, then they go and they go, hey, watch this video. Well, unfortunately, they're they're pulling it off of their Google Drive or they're pulling it somewhere else, and it's going over the ISP. Well, the ISP knows, hey, this is a uh duplicate of a movie that's out, and therefore it will flag that. Uh, I don't know how they do it, but they've got a way that they figure out how to do that. So the interesting part is that's another level of DRM. And it can detect abuse uh with different uses of products in different geographic locations. They also have automatic expiration. These products are sold on subscription basis, basically yearly. It can be month to month, or you can buy the subscription one time. But bottom line is they have automatic expiration on them, and therefore they get you to come back and buy some more. Uh, these expiration ends that the basically the product access is blocked. So, and you all have dealt with this. I'm not telling you anything new because you all have probably some level of streaming service in your own homes. Uh, DRM functions, these can accomplish various protections on files. Obviously, they can limit printing, USB access, email access, all of those kind of pieces can be added to that as well. Uh, so again, this will a lot be discussed much more in our intellectual property sections, which will go in deep deeper around IP and IP protection mechanisms. But DRM is something that you will be dealing with as a security professional in a almost all the time. Now, DLP. So we have DRM, we have DLP, data loss prevention. I deal with DLP and the different types of access around data uh documents. Now, as life is changing, DLP is becoming a bigger deal for most companies. And companies need to consider this because one, you have intellectual property, two, there's a lot of intellectual property theft going on. And this intellectual property can be as simple as just how you do business. Say you have a certain process by which you move widget A to widget B, and that gives you a competitive advantage over your competitors. And so, therefore, that process of widget A to widget B is sensitive, and you don't you want to potentially protect that. So, this is where DLP can come into play. Now it goes back to the part where we talked about sensitive data. We have to have an understanding of what is sensitive within our organization. And so, therefore, once you determine that, you can determine what needs to be protected. You then need to monitor the data movement, data paths, where are they going to? Went through an entire exercise with the company before of where's my data paths going, where is all the data transferring to. One, I wanted to know where it was to protect it, but two, I had regulated regulations that were telling me from governmental officials saying what kind of data is coming and going from our country. So you have to understand the data movement. Just knowing where the data is one thing, but knowing where it's stored and knowing where it goes is another. If you like security, if you like puzzles, security is a good thing because you have to think abstractly. You have to think very outside the box to really try to understand where everything is moving to. And you will, you still will not be 100% perfect or accurate, guaranteed. But having that knowledge also, I'm gonna just tell you from an ego perspective, puts you in a very good position within the organization that you understand where the dead bodies are. You understand where all the data goes. Very good place to be. Uh, prevent authorized unauthorized exfiltration. You need to look at ways to block attempts to transfer data out of your organization. You need to look at ways to classify data and assign to different levels of protection based on the sensitivity of the data, and then you need to implement these various DLP. Products to monitor and control the data movements. There's lots of different products out there that will do that. Microsoft has some stuff that they're rolling out more and more. I would say they're probably the industry leader just because of all the office products that most of the things that are created today are built in an office type format. And I know there's the Google Sheets folks out there, I get it, but most of it's in an office format. And so the DLP products, it works out where they can actually be embedded within those types of products as well. So we talked about the different types of labels that are there. You need to use labels, and these will have meta tags on them that will then help understand what is the best right or protection for that document. As an example, you may have a document that says you can you have printing and you can view it online, but you can't email it and you can't download it from a certain location. Those are the meta tags that will be tied to it as well. And so that's really helpful, especially when you're trying to sort through all of your data. You need to have documented procedures around transferring sensitive data. You need to have, is it using FTP? Uh are you can you use an email for transport? Are you using USB sticks? If you do any of these transports for sensitive data, one, are you gonna have encryption? Are you gonna have PKI certificates for your email? Are you gonna use the FIPS 140 series uh encryption for USB sticks in case they're lost? You need to kind of consider how do you transmit this data uh to individuals and how you transport it. So something to think about for your procedures and you need to document that. And and I I this is the problem it runs into, right? Auditors want you to have a full level documentation from soup to nuts, everything in between. I still never really understood what that means, soup to nuts. But if from the beginning to the end, they want you to to have everything documented. As we all know, that is almost impossible. So you need to document the basics and then you need to understand how to manage all those basics. And then you need to have that in a place where people can reference it. But going to every extreme extrude uh big$10 word, extreme on the words. Yeah, see, I'm screwing that up. It's to go from adding everything in there to just having it to where it's more of a run book, it's a more of an A plus B plus C plus C, a more condensed version. It you want the condensed because the more stuff you put in, people just are gonna ignore it and it will go bad over time. Over time, it'll become is not nearly as useful. Storing of sensitive data, we talked about encryption, access controls, logging and monitoring, big factor. You want to have logging and monitoring. That being said, make sure that you figure out how much logging you're going to be collecting because it comes at a cost. Destruction and deletion of data. How are you going to deal with it after the end of this is all over? Okay, last part we're gonna talk about is a cloud access security brokers. This, what is a CAS B? Okay, so a CAS B is like a security policy enforcement point for your cloud services and your applications. This where basically it sits between your organization's network and the cloud service provider. So they sit in the middle, and it provides visibility, control, protection, all of these pieces around cloud-based data and the applications itself. And the reason is that you have all this data that's coming and going from your on-prem environment all the way to the cloud. It needs to be best protected, but you need to have visibility into it as well. So the functions of a CASB, you've got visibility, you've got control. When you're dealing with visibility, this will track the cloud usage and identify potential risks that are going on. This could be too much data going to or from the cloud. The nice part about tracking the usage, it also will help you with your financial aspects of it too. It understands how much data is going in because you're getting charged for the data that's going in and coming down. Usually the data going up isn't charged nearly as much, if not, it's almost air quotes free. But where you get caught is when you try to download the data, that's when it gets really expensive and/or it takes a lot of time. Uh, it monitors data movement and access patterns. It also provides insight into cloud costs and the usage itself. From a control standpoint, it enforces security policies for cloud applications and services, restricts access to sensitive data and applications, and prevents unauthorized data exfiltration. So again, it does all of that for you. And they're really they're becoming more and more popular, obviously, because we have a much larger footprint in the cloud. But you want to really consider the use of your CASB. They also get into protections and integration. Now they protect the data stored in the cloud, obviously, because they can add that level of encryption that goes up there. They can detect and respond to security threats. They a lot of times the CASBs will have a key management system in them, so therefore that helps with the data protection. Integration. This integrates with existing security infrastructure, connects to identify with access management systems, and then works with other security tools like firewalls, intrusion detection systems, and the like. So there's a lot of great things that a CASB will bring to bear. So the benefits we talked about, again, improve visibility, enhance security, reduce risks. Uh they it is a it's a simplified compliance and help it helps five with compliance as well as any sort of industry regulations that you may have, any sort of uh types of frameworks you got to follow, it will help with that as well. And it does give you improved governance and control over your cloud environment. All right, that's all I've got for you today. I hope you guys have a wonderful day. Again, head on over to CISSP Cyber Training, head on over there, get access to the CISSP training documentation that I have, get access to my courseware, any of the courseware or any of the mentoring ship that you want to purchase at CISSP Cyber Training, all of the inf all of the information, all of the money that is that is used to purchase that information, it goes to our nonprofit for uh adoptive families. That's the ultimate goal for us is to provide a way for adoptive families to be able to adopt kids and help reduce some of the cost associated with that because it's very expensive to adopt children. It's it's terribly expensive. But the point is that that is there and available. If anything you purchase all goes to our adoptive. I think it's called the Shepherd's Hope. My wife is just finishing up the name on that. But the ultimate goal is that we want you to pass the CISSP. We want you to get successful in your security career. That is the purpose of CISSP Cyber Training, is we're here for you. All right. Have a wonderful day, and we will catch you on the flip side. See ya.