CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 317: Local Cybersecurity Funding - CISSP Practice Questions (Domain 1.8)
Check us out at: https://www.cisspcybertraining.com/
Get access to 360 FREE CISSP Questions: https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout
Get access to my FREE CISSP Self-Study Essentials Videos: https://www.cisspcybertraining.com/offers/KzBKKouv
Podcast Link(s): https://www.cisa.gov/news-events/news/dhs-launches-over-100-million-funding-strengthen-communities-cyber-defenses
Cyber attacks don’t skip small towns, and today we dig into how local governments can turn policy into protection. We start with the new funding landscape for state, local, tribal, and territorial agencies—what’s approved, where the dollars flow, and why alignment with CISA and the NIST Cybersecurity Framework is the difference between good intentions and measurable risk reduction. From staffing gaps to critical infrastructure dependencies, we break down a practical way to prioritize controls, track progress, and build lightweight governance that keeps projects moving and leaders informed.
Then we pivot into CISSP Domain 1.8 with real scenarios that security teams face every week. What do you do when phishing simulations stall at a 40% click rate? We outline how to redesign awareness with role-based content, immediate coaching, and the right technical controls to lower human-driven risk. What’s the right response when a new admin refuses to sign an NDA? Bring legal in, set the standard, and be ready to stand firm on conditions for sensitive access. We also unpack training repayment disputes during offboarding and why access revocation, asset return, and exfiltration monitoring must come before chasing dollars.
We don’t stop there. An employee’s personal cybersecurity blog can be a liability or an asset—depending on how you set guidelines and review content. And when insider risk hits hard—a soon-to-be-terminated analyst copying files to a USB drive—the immediate play is decisive: disable access, secure devices, preserve evidence, and coordinate with HR and legal. Throughout, we keep the focus on clear policy, consistent enforcement, and actionable steps that work for resource-constrained teams as well as larger enterprises.
If you’re a security leader, an aspiring CISSP, or the de facto defender for a small community, you’ll leave with concrete actions to raise your defenses, educate your people, and respond fast when signals turn red. Subscribe, share this with a teammate who needs a sharper playbook, and leave a review to help more practitioners find the show.
Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.
Join now and start your journey toward CISSP mastery today!
Good morning everybody. It's Sean Griber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is CISSP question Thursday, and we are going to be focused on domain 1.8 of the CISSP exam. Now, as you guys know, last week was 1.8 as well, but we had a really long podcast and I had to break it into two sections because of the length. So because of that, we now have again 1.8. But that's okay because guess what? There's a lot of questions on domain one of the CISSP exam. But before we get started, I have an article that I wanted to show and just kind of talk to you about and see what you all thought. Okay, this article is from CSO magazine, and it is cybersecurity at the state and local levels. Washington has the framework, it's time to act. So I will tell you that this is actually kind of comes close to my heart because I feel very strongly about the local uh communities and the local governments being able to thwart a cyber attack of some kind. And so this big the key point about this is that DC has established a policy framework, and here's the key point funding mechanisms to improve cybersecurity for state, local, tribal, and territorial governments. So there's money set aside and there's a framework to do this. The biggest challenge now is implementing this and using those resources effectively. And I totally agree with all of that because it's it's a challenge, right? I live in a very small community, about 5,000 people, um, very tiny area compared to the the city itself and the proper. Um overall, I live in a small town called Mulvaine. It's like M-U-L-V-A-N-E. It's like a mule and an ain, I guess you want to call that. Mulvaine, and that is a small little tiny town just south of Wichita, Kansas. And so a 5,000 people in this tiny town, uh, a lot of they they really have uh an interesting thing on cybersecurity. They actually have things in place, which is awesome. But the other thing that's kind of interesting around that is the fact that they don't really have a full-time staff to deal with it. And there's critical infrastructure focused on all of those pieces that are tied to this small little community. And Wichita, as Kansas as a whole, you know, is really only got about a half a million to three-quarters of a million people that live in this area, this multiplex. And they're cybersecurity folks. I've met them, they're very nice people, and they have a hard job ahead of them as well. So the thing is that there's money set aside for these local governments and tribal governments to be able to put some level of cybersecurity activity in place to protect everyone. So this executive order was signed back in March of last year, and this is the Trump administration looking on achieving efficiencies through state and local preparedness. That is their ultimate goal. And their point is that they have crit many people have criticized the executive order that it's not good enough, it's not strong enough, it's not something that they can people can use fully. I challenge that in the fact that something is better than nothing. Now, whether you have a political agreement or disagreement with the Trump administration, doesn't really matter. The bottom line is that the attackers don't care what side of the fence you're on as it relates to the political spectrum. So therefore, it is imperative as us within our country to be able to protect us. Now, if you live someplace other than the United States, which a lot of my podcast listeners are, um it's also important that you probably live in small little hamlets and little villages and communities in your around your part of the world. So talk to your local governments about how to try to do something like this. So they've also authorized about a billion dollars over four years, so it's 250 million roughly a year, and they pass at least 80% of funds to local governments, and they set aside 25% for rural jurisdictions, like tribal type of communities. So the thing is you have to tie it to the CISA, the cybersecurity frameworks, approved state cybersecurity plan that aligns with the NIST Cybersecurity Framework. So CISA approved it, it's got to align to the NISC Cybersecurity Framework. So they aim to extend this funding for 10 more years, and then so that way there's some long-term stability out there. So they just put it for a short period of time, but then they're gonna push it out even further. So the the big thing around this is implementation and funding. There was a bit of a pause back in November of this year uh due to the budget cycles and everything else that's going on with it. But there is money out there to specifically do this. And uh as of August 1st of 24, DHS has provided approximately 172 million to around 33 states and territories. Okay, funding up to 839 cybersecurity projects. Okay, so those that's great. That's awesome news. The great part about all this is now there's even more funding available specifically to help this. So I would highly recommend that you go out and talk to your local communities if you haven't already and tell them about the money that is there set up to be able to be doing funding. And I say that as it's the words are coming out of my mouth. I'm thinking, okay, I need to go talk to our city council as well and ask them about how about how they would do something like this. The problem is I know what's gonna happen when I do that. They're gonna say, we don't know anything about it, so would you do it for us? So I have to be prepared to deal with that. But bottom line is that you need to do what you need to do to protect your local communities. You all are cybersecurity professionals that are listening to this podcast. You have at least some level of knowledge around it. Some have varying degrees, some are old, a little long on the tooth, like myself, been around a while. Others are maybe not quite as seasoned, and that's okay because a lot of times your enthusiasm and expertise and young thoughts can actually go a lot further than someone in this potentially my age. But again, it doesn't really matter. The point is that go do something. Use your powers for good, not for evil. That is always what we've been saying on CISSP Cyber Training. So go check it out. It's CSO from Kevin Powers, Cybersecurity at the State and Local Level. Washington has a framework. It's time to act. Okay, so let's get started with what we're gonna go into today. Okay, so before we get into the questions, again, gotta have a shout out for CISSP Cyber Training. Head over to CISSP Cyber Training, get access to all of my free content. I have tons of free content that is there and available to you. I have lots of people that email me all the time telling me how much that they appreciate the content and that they pass the CISSP. So I love it. I love hearing from you all. Please tell me if you've passed it or if you've had any questions around it. That's great because I just really enjoy hearing your guys' voice and what you have to say about it. Uh, but again, there's very many different options there for you. You have a lot of paid programs. I also have the free stuff that's available. Tons of hours for you to listen and watch videos, as well as thousands of questions that are curated specifically for you. So it's a great way if you are looking to pass the CISSP the first time and you are a self-study professional that really wants to just do it on their own and doesn't want to spend a ton of money on a huge boot camp. This is the right course for you because it will help you walk you through, give you all the benefits of a CISSP boot camp without having to go someplace and spend anywhere from around seven to ten thousand dollars. So again, go check it out CISSP Cybertraining.com. Okay, questions on domain 1.8. Question one: an organization implements a mandatory security awareness training for all employees. Okay, so everybody's getting this mandatory security awareness training. After six months of phishing simulation exercises show a 40% click rate. That is not good. 40% is not good at all. Unchanged from the baseline. What does the primary what does this primarily indicate about personnel security program? Okay, so your people are clicking on links and that hasn't changed. What can be the problem? Maybe it's you. Maybe you need to leave. No, let's not go there. Okay, so A, employees are hostile to security initiatives and require disciplinary action for non-compliance. Okay. B, fishing awareness is not personal security concern and resources should be redirected to technical controls. C, the organizations should increase training frequency from annual to quarterly to improve retention and to improve the numbers. And D, the training content or delivery method is ineffective, and the program requires evaluation of training relevance, delivery methods, measurement approaches, and potential need for role-based training. Okay, so let's go into the ones that are not correct. So again, you have a 40% click rate, which is astonishing, which is terrible. So to put it in perspective, most companies, if you start off a security awareness program, uh they will get anywhere from probably 10 to 20%. 40% means they're just clicking to click. And uh there's some challenges to doing that. So first one that's not right. Employees are hostile to security initiatives and require disciplinary action for noncompliance. So that could be the case, right? You could have some employees, depending on the size of your organization, who are just gonna go, I'm gonna stick it to the man. I don't want that. I don't want it at all. So I'm gonna do that. And they use that southern accent when they say that too, I'm sure. Uh, but no, they're they don't want it. They don't want anything to do with security. Now, I've seen this happen. Yes, there are a few people that within security organizations, within organizations that are not fans of all the security awareness training, and they are a bit vehemently on not doing anything with it. So, yes, but I would think that that is not the primary indicator of what your problem is, because they're a small subset of a very large group in most cases. That doesn't mean always, but in most cases. The next one is fishing awareness is not a personnel security concern and resources should be redirected to technical controls. Okay, so we all know that technical controls are an important part of any security program. We also know that if you don't have good phishing awareness training in place for your people, that's a bigger problem. People are your problem. They click on things, they also can be your solution, but they are in many cases your problem. So if people click on links, you need to have some level of way to teach them. And a technical control will not fix everything related to people. People just goof it up. They just do. So you have to come up with a good program for that. Hence, B is not the correct answer. C, the organization should increase training frequency from an annual to quarterly to improve retention. Okay, well, this is this is increasing frequency. So if you have it once a year and you go into quarterly, um, that probably would be one of the aspects you might want to do. Um, especially if your baseline is at 40%, you may come back and just say, yeah, we're we're gonna have to do something different here. And until people move, get the fix this problem, we're gonna go on a quarterly basis. And uh take it out of a movie out of Animal House, the beatings will continue until morale improves. Uh so that's what's going to happen, right? This is what's gonna go, is you're gonna keep getting beaten over the head with a security awareness training program. Uh so no, that's not the correct answer. So the correct answer is C. The training content or D, I should say, the training content or delivery method is ineffective. Yes, that's true. And the program requires evaluation of training of relevance. Yes, that is true. Delivery methods and measurement approaches, all true. The potential need for a role-based training as well should be considered. That is true. So a lot of different things. You just basically need to take a top-down approach to your security awareness training and determine if it's even viable and then what should you do to fix the problem. So don't just keep kicking the can down the road and wait, okay, well, it wasn't good this year. We'll go again next year. Uh, you it's probably gonna be a combination of the last one of D along with C and increasing the frequency of your training and tell people just get it. That's the ultimate goal. All right, next question. During onboarding, a new system administrator refuses to sign the NDA, citing concerns about overly broad restrictions on future employment. Legal confirms the NDA is the standard. It's boilerplate, it's something that they always use. How should this be handled? Okay, so you're bringing on a new networks admin, and this could be you could security professional, could be a network admin, could be anybody. But you as the CISO, as a manager, are gonna have to deal with this. So they are concerned that there are overly broad restrictions of future employment. So A. Proceed with employment without the NDA as the NDAs are difficult to enforce and refusal indicates honesty. B, offer to have legal counsel explain the NDA terms, but make it clear signing the can signing is a condition of employment for roles with access to confidential information, and be prepared to withdraw the offer if they refuse. C. Modify the NDA specifically for this employee to address their concerns and proceed with hiring. D, escalate to the executive team to make the exception given the difficulty in finding qualified system administrators. Okay, so there are a lot of nuances in play here, and you might be concerned to do one of them. So we got to think about this, right? Which one is the right answer? So when we come down to let's go to the ones not the right answer. Proceed with employment without the NDA, as the NDAs are difficult to enforce, and refusal indicates honesty. Okay, so now do you want to go without an NDA? That would not be recommended. Okay, you would not want to do that. Uh the NDAs are important. Now they are they difficult to enforce? Yes, they can be. Um, they can be a challenge. However, I was when I was a CISO, I was dealing with a person in a in a country far, far away who violated their NDA. And guess what? The corporation had lots of lawyers, and they basically told these people, lawyer up. And once you do that, now your money goes away. Um, so yeah, if you're gonna do those kind of things, your corporation has the ability to come to come after you. Anybody does. And so you just kind of have to weigh, is it worth the the hassle or not? So just kind of think about it. The NDAs are very important, and I would not go without an NDA. Another one is uh modify the NDA specifically for the employee to address concerns and proceed with hiring. Now, this is incorrect, right? Because if you want to go without the concerns or basically look at their concerns and then proceed without hire with hiring the person, um you're now dealing with a legal document that your legal team's gonna have to deal with. And then once you make a modification to this for this person, what about the next person? So you got to kind of think about that. It's also a really good way for you, but I'd say this in it's imperative that you do bring it to legal counsel to have them look at it, because maybe there is something that's a bit onerous and draconian about it. Uh escalate to the executive team to make the exception, given the difficulty in finding qualified system administrators. So if you the the escalating to the executive team probably wouldn't do, however, there is a little caveat in this in this answer that is something to think about is finding the qualified system administrators to do this. Sometimes it's a challenge to find the right people for the role. And especially if you've been waiting to try to fill this role for a period of time, you might be apt to go, well, let's just modify this MDA. I gotta get somebody on because I have been dying here. Um, that makes it very difficult, right? That makes it a bit of a challenge. However, yeah, the moment you start making those compromises, it will come back to bite you. And it may not come back to bite you because you'll leave the company, but when you leave the company, somebody else might be stuck with the problem. The real answer, though, or the most correct answer is B offer to have legal counsel explain the NDA terms, but make it clear signing is a condition of employment for roles with access to confidential information and be prepared to withdraw the offer if they refuse. Okay, so that makes sense, right? Out of all those questions, you read it, you're going, Yeah, that makes sense. That's just the good human theory, right? So you need to make sure, though, but that the legal team comes in and explains all of the nuances behind it. You are not a lawyer, and therefore you explaining it to them can open you up, your company up to some sort of legal litigation aspects in the future. So I would highly recommend that if they have questions about the NDA, you bring in the lawyers and that's what you're paying them for. Let them deal with it. The next question: an employee receives a job-related certification that significantly increases their market value. The organization's policy requires employees to reimburse training costs if they leave within two years. The employees give notice after 14 months they refuse to pay, claiming the policy is unenforceable. What is the primary personnel security consideration? Okay, so an employee receives a job-related cert. All right, that increases their market value. So a CISSP. Ho ho ho, you just got the CISSP certification. So guess what? You are now looking for a new job. The organization's policy requires you must reimburse the training costs if they leave within two years. So at the 14-month point, the guy, gal says, I'm out, and they refuse to pay because they said it's not forcible. What is the primary personnel security consideration? Okay, a whether the training reimbursement dispute distracts from more critical onboarding security tasks, access revocation, asset returns, knowledge transfers, exit interviews, and monitoring for potential data exfiltration. B, the organization must immediately pursue legal action to enforce the policy and set a precedence. C, the organization should waive the reimbursement, maintain goodwill, and encourage future boomerang hiring. Or D, HR should immediately disable all accounts to prevent the employee from retaliating. Okay, so let's go through these questions and find out which one is the correct answer. So let's go with D. HR should immediately disable all accounts to prevent employee from retaliating. Okay, that's something that should happen, right? So the person gives their notice, they're done, they're out, and you should immediately disable all accounts. However, it says HR should immediately disable all the accounts. Now, maybe in your corporation, maybe the HR does that. They maybe they have a software program that automatically goes and disables accounts. However, that is not the correct answer. The organization should waive the reimbursement, maintain goodwill, and encourage future boomerang hiring. So that is one of those that it would probably best to go, yes. You think about the overall aspect of maintaining goodwill and encouraging future boomerang hiring. However, that's not the primary reason for the not the primary security concern. So the key thing here is what is the primary personnel security consideration? So that's not a security consideration. It's a positive, it's not the primary one, but it's it's a positive you'd want to do. C, the organization must immediately pursue legal action to enforce the policy and set a precedent. Okay, so that would just actually bog you down. You'll spend more money probably trying to chase that rabbit than you it's actually worth. So your legal team and everyone else, you'll just spend a bunch of money and it really won't be valuable. So let's go with the correct answer. The correct answer is whether the training reimbursement dispute distracts from a more critical on offboarding security task, such as access revocation, asset return, knowledge transfer, exit interviews, and monitoring for potential exfiltration. So the point of it is that you if you do you're focusing on the money and you're not focusing on getting the person ejected from your system. And you what ends up happening is that person could be using that as a ploy to cause more damage within your company. Just let's just talk about this. Let's see what we're doing. But they should have probably disabled accounts immediately and got the person gone. So that's the bigger security consideration related to the cybersecurity professionals. Next question. Question An organization discovers an employee has been maintaining a popular cybersecurity blog where they discuss industry trends and techniques. The blog occasionally references lessons learned from work without disclosing confidential information. The employee never disclosed this activity. What is the best course of action? I lived this life. So yes. What is this? A immediately terminate the for unauthorized disclosure of company information and activities. Yes, fire them immediately. Send them to the door. B. Issue a cease and desist order requiring the employee to shut down all the blog immediately. C. Require all blog posts to go through pre-publication review by legal and management. Or D. Review the blog content with legal and communication teams. Discuss the employee to understand the scope and intent, establish guidelines for acceptable external activities, and potentially leverage a positive brand building with appropriate oversight. Yes, so the more wordy one is always correct. No, it isn't, but in this case it is. So let's go through which ones are not correct. Immediate termination for unauthorized disclosure of company information and activities. So yeah, it's a bit draconian. You can do it. I highly would not, I would not recommend it. It will cause a ripple effect through the morale through your company. So I would not do that. That would be bad. You could, but it would be bad. B, issue a cease and desist order requiring the employee to shut down the blog immediately. Kill it. Put it down. Again, very draconian. That's a bit of a instead of using like a ball peen hammer, something small and dainty, you end up using a sledgehammer. That's not the right thing to do. So just not a good idea on that one. C, require all blog posts to go through the pre-publication review by legal and management. Okay, that is probably a bit better than hitting them over the head with legal action or uh going and telling them there's a they're gonna be terminated. That's that's a bit better. So we're not quite so draconian. We're more dra, not Draconian, but we're actually still not good. So the answer is, like I mentioned, the one with a lot of words, and that's review blog content with legal and communication teams, discuss with employees to over understand scope and intent, establish guidelines for acceptable use, and then potentially leverage positive brand. Okay, so I'll give you my whole skinny on this. I've been doing this blog post or blog, I've been doing this podcast for about three, no, probably five years now. And you know what? Because of that, I had to go to my legal teams and I talked to them, said, Hey, I have this, I do this, I talk about stuff. I don't talk about you as a company per se, uh, but I do talk about things that I've learned. Do you have a problem with it? And I had to go in there with the attitude of going, well, if they got a problem with it, then I may have to determine if I have a problem with it. And they did not. They were very good. They looked at my my they went to the site, they looked at it, they looked at all the different things that are there, and they decided, you know what, it's not a big deal. We're not too worried about it. Okay, go and have fun. And the point was I just wanted to make sure that they were all tied up on this and they understood what we were trying to accomplish. So, again, that is a good example of what you should do. All right, the last question: a financial analyst is being terminated for performance issues. Bummer, dude. During the notice period, security monitoring detects that an analyst accessing investor presentation files they don't normally use and copying these files to USB. Insider. What is the most appropriate immediate response? Okay, so you got a financial analyst who's getting terminated because he or she just isn't performing right. But they're snooping around and they're putting stuff into USBs. So first problem is why do you have USBs within your company? But that I will digress on. So let's go through the answers. A continue monitoring and gather more evidence, evidence before taking action as premature intervention could alert the employee. B immediately disable access, secure workstations, conduct an investigation with HR and legal, and preserve the evidence and determine if law enforcement involvement is warranted. C confront the employee directly about the suspicious activity and demand the return of any copied files. Or D. Wait until the scheduled termination date and then conduct a full forensic investigation to build a legal case. Okay, so all of those have hints of goodness in them, but they're not the most appropriate, right? That's the key. What is the most appropriate? So which one is not correct? Wait until the scheduled termination date and then conduct a full forensics investigation. That's probably the worst one, right? Uh the the whole point of that is that I don't know when your date is, but now you're just saying, okay, have fun, take all the stuff you want. And so they just take it, right? Um, so that would be a bad one. You don't want to wait until the scheduled termination date. Because C is our one another one is C. That was D. This is C. Confront the employee directly about suspicious activity and demand return of any copied files. Okay, that's something you're going to end up doing, uh, but that's not the most appropriate immediate response because that's probably step two. Step one is what we're going to talk about here in just a minute. Uh, then one other one that's not correct is continue monitoring to gather more evidence before taking action as premature intervention could alert the employee. So taking action, this kind of falls along the lines of the last one, which wait until the scheduled termination date. Uh, you're just trying to build your case on a and you're trying to make sure to determine do you have everything you need to drop the hammer on this individual. If you know what you saw and you can confirm it, there's no reason to wait, right? You don't you don't want to keep waiting and let that data get exfiliated, exfoliated from your organization. So immediately disable the access, secure the workstation, and conduct an investigation with your teams, preserving evidence and determine if law enforcement is warranted. That is the most appropriate immediate response. So, but then you will then probably confront the employee and say, give me back my USB. Um, and so that is, but you want to make sure that you have as the moment you find out that there's something fishy going on, you shut her down, baby. You shut her down. And then you go and you start building out a case against this individual. Uh so I had to do that, I did that a couple times. It's not fun, it's not good, don't like it. Um, yeah, it's very confrontational and you don't know how people are gonna react. So it's always good to have a buddy, a wingman, when you do something like this, because you just you really don't know in today's world how people are gonna what they're gonna do. Some people might freak out. Uh all the people that I ever worked did this on, they were all uh very sheepish. They realized they got their hand caught in the cookie jar and they were like, okay, you got me, I'm out. And so the the point of the conversation we had with them is uh if one, you you don't give us this back, we're gonna come after you legally. Two, um, once you give it back, if you say anything bad online, we will come after you legally. Uh, if you do, if anything happens to our organization, we're gonna come back after you illegally. So they they knew going into this that there's they did something very inappropriate and they're gonna pay for it. So just something to kind of consider. All right, that's all I have for you today. I hope you guys are enjoying this. Please let me know. Send a shout out on uh through email. You can send it at contact at CISSP Cyber Training. You can reach out to me through the different types of uh ways you listen to this. I hope you're getting value out of it. I'll tell you, this is stuff that you is extremely valuable and can be extremely profitable for you by listening to this podcast. Just by getting this knowledge and expertise, uh you can turn around and utilize this in ways that can help you and your family with your cybersecurity career. I can't stress this enough. This is 20-some years of experience that you're getting just by listening to a podcast. So it's pretty cool. It actually is pretty cool. All right, have a wonderful day, and we'll catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes. I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you'll find a flip through the oracle of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Sniper Training and sign up for 363 CISSP questions to help you in your CISSP journey.
SPEAKER_00:Thanks again for listening.
