L13 September 9, 2023 Meeting Recording - Governance, Risk & Compliance
Document Details
Uploaded by PreEminentJaguar
2023
Tags
Summary
Meeting discussion on September 9, 2023, covering topics around managing risk in cybersecurity. Information assets, critical systems, and security programs are at the center of the conversation.
Full Transcript
is to manage risk in cyber security. And for us to manage risk, we must identify what we want to manage risk around. So our information assets, we usually include our system, our data, our key resource, our people, our data center, you know, any infrastructure we use to do business. So these are r...
is to manage risk in cyber security. And for us to manage risk, we must identify what we want to manage risk around. So our information assets, we usually include our system, our data, our key resource, our people, our data center, you know, any infrastructure we use to do business. So these are regarded as information assets. So as part of our infrastructure, we have identified these following systems to be key or to be critical systems for organization. CRM, customer management system, HRMS, internal portal, ERP portal, database, point of sales application, customer, customer and corporate websites, customer portal and corporate website, broker or group portal. We have client portal. All applications are within the organization. Some are accessible from the internet, such as customer portal, broker portal, corporate website. Other applications are not exposed. So the corporate website doesn't contain sensitive information. So the key application information, we talked about the different applications and the type of data that they have, right? So we are not saying that the organization must protect sensitive data as a mandate by us and to also meet our senior leadership requirements to minimize risk and enhance stakeholders' value. We have a new system and it has just commissioned, it has a commission. So basically, it has contacted a third party to do an external assessment to evaluate our security maturity, to evaluate our security program just to know our security maturity, you know, from level one to five. So the cybersecurity team is not tasked with creating a three-year roadmap to improve security posture. I'm going to do a gap analysis to identify areas of improvement, include compliance with PIPDA and OSPI. I'm going to establish cybersecurity governance. We're going to create structure of cybersecurity team. The team is going to include the manager, director of specialists, GIC, security analyst. I'm going to be using industry framework standard and compliance requirements. Different framework and compliance requirements to guide this security roadmap. Yeah, I'm sure I'm going to be sleeping when I read this. So the cybersecurity manager will draft policy for various, I'm tasked with drafting policy for various cybersecurity program. Those are some of the things we are going to, these are some of the program. Data governance, data protection and privacy, vulnerability management, threat and penetration testing, NCR response management, security awareness and training, data recovery, network infrastructure management, and the likes. So before now, individual in this team were tasked with creating, individual were tasked with creating, sorry, something is still in my head. So individual were tasked in this team to create policy for each and every one of these programs. So we have people that created or that are creating data governance, data protection and privacy policy. We have somebody, some of them have submitted their policy, threat management, incident response, and there are resources we can use to create this policy. I will also share some of those resources as well, where you can get the policies, the devices you can use. Yeah, if you need access to these resources, please just message me if you are just joining. I will send you information about them. So to ensure effective protection of our organization, we need to identify our assets, including our data. So the first step in cybersecurity to manage cybersecurity risk is identifying your information assets. You need to know where all yours, what are all your systems, where they are, see how they connect, know what type of data that are stored in them. You know, and this infrastructure includes your data, your application, your services, your server, your storage, your workstation, your network, your transmission media, your data center, and the lights. So you need to have information about all these things so that we can protect them accordingly. So we tasked the team to create an inventory of our data systems, all our hardware assets, and categorize them based on their criticality to the business. So all these systems that we have talked about here, the team created spreadsheets. If you have your own spreadsheet, please share it on the screen. Let's see what you have got. Hadizi, please, you are the two people that I have here that I think would have done, I don't know where the remaining people are. Oh, did I send them to the team? Somebody is asking, do you have class today? After 30 minutes, you have finished class, put it on the chat, do you have class today? Maybe the link to the class went to, maybe went to, where is it? Oh, Mr. Jonathan, yes, just like it did for testing. All right. I actually thought I was sharing my screen because I was looking at the screen and I was talking and referring to something, but that was not the case. So that's just a brief description. Please, let's see your spreadsheet. So what we have done is we have, we need to identify all our assets. So we have created a spreadsheet, we have identified all these assets that we need to do, we need to, we need to protect. Now, Mr. Jonathan, what happened? I saw you asking if you have class today. All right. So, yeah, please. Yeah, I can see you have just 10 applications and systems. So we have categorized them, tier 1, tier 2, tier 3. Tier 1, tier 2, tier 3. That's what we categorize them as. Yeah, please take us through what you have on the screen. Let's see. It's still a work in progress. So these are the applications that we had spoken about earlier and then we're asked to categorize them into tier 1, 2, and 3, with tier 1 being, I think, like the most, the application with the most sensitive data. And then we should also classify them into confidential, public, internal, private. So, yeah, and then we should also kind of like list out the data types that would usually be in this application. So this is just my own work. Yeah, so generally, I think most of the applications here would have PII, personally identifiable information, I think. And then some of them have health data, PHI. Some of them have, I think that the CRM, I'm probably going to and POS application probably have like payment card information. And so I just split them as according to how I think the kind of data that I think would be present in this application. And then we also said we should add like what kind of encryption algorithm would these applications use. I think that generally AES, whether it's 256 or 196 or 192, but AES generally is one of the most secure encryption algorithm that is generally used across for that across different types of applications. So that's why I have it right in all of them. That's my understanding. And then some of the other ones I included, like the triple DES, I know that is used mostly for applications that have like a payment function. Yeah. So I just kind of like read on different types of encryption algorithms and I kind of like categorize them into the different applications based on my understanding. And then from the encryption analysis, I wasn't sure if we needed these states of the data encryption, being encrypted or what, but like there's data at rest, data in use and data in transit, three of them. And usually maybe it should even come before, I don't know, but what I was able to understand is that based on these three, data in use, data in transit and data at rest, they are typically encryption algorithms that do well depending on if it's data in use or data in transit, like they are typically encryption algorithms that do well with that. So I was supposed to kind of like also split that. And then I think this was the final one I got from my notes, that we should also put like, I think it was from the last two classes, that we should also include like security controls or safeguards. I wasn't really able to get, like when I tried to read up on it, like I would see different information. So it was actually something I was going to ask in class, like maybe I missed it or something, but what were the categorization of security controls that maybe we're able to split this into, because it seemed like the information was everywhere. But yeah, we're supposed to include safeguards or security controls that we think make sense for the applications that we've just laid out here. Yeah, that was good. Thank you so much. Don't unshare your screen, please. Okay. So what I was looking for is, I would love to have, yeah, first, second column was good. Information categorization, yes. I would like to see the data type before the data classification. I want to see, we have the data type, this data is this type, and that's why we are classifying it this way. Okay. We have this, it has PIL, PHI, it has sensitive information, that's why we're going to classify it. Conditional internal public, if this is your choice of classification, that's fine. So from there, anything towards the right, I requested that we should, for every data that we have identified at sensitivity level, we should put, we should research on different controls that can be put on data and we put it on the side. For instance, access control is a security safeguard on data. What are the things that you can put in place to safeguard a data when it comes to access control, right? Access control, you have done the labeling, what are the things you can put together? Maybe you may say, oh, there has to be access provisioning request, it has to be, it has to be a rule base, it has to be least privilege, approval has to be gutted, you know. The essence is that if you are doing security assessments, you are going to be asking questions as regards all the different controls and different framework which you are still going to explore, you know, that talks about, if you pick up a framework, for instance, and look at data protection under a particular framework, you will see a lot of recommended controls, you know, on it and you can now put a column for each control and say, okay, for this data that are PCI DSS, I will make sure that there is MFE, there is authentication, there is authorization, authentication has MFE or does it have MFE, does it not have MFE, oh, we are using this type of authentication, you make sure that, you know, anything in our access control, anything you can lay your hands on access control, you know, that you can use to protect this information. And the essence for you to not to just put something is to also understand why those things are also needed too, right? The other one could be log, how do you log access to this information? How is the data, how is this data retained? How is the data disposed? So, data disposal, data retention, these are different controls you can put in place. Is the data backed up? You know, how is it backed up? If the data has been transmitted physically, what are the controls that you are going to put? When is it physically printed out in the paper? How is, how are you going to do it? Who is having access to that? Are you sharing it with third party? You know, when you want to share it with third party, what would you do? Are you going to have NDA signed? You know, if the data is going to be transmitted, are you going to put encryption in transit, encryption at rest? So, now you have put encryption here. I just want you to tell me encryption at rest. This is what I'm going to do. Encryption at rest. I'm going to use AES-256. So, I'm going to use triple DES. Encryption in, sorry, encryption at rest. Encryption in transit, maybe you want to use SSL 3.0 or you want to use TLS 1.0 or 1.1. You know, for encryption in transit, you know, these are safeguards that we want to consider when it comes to, you know, protecting our different data. Each column, we can keep increasing the number of protection that you provide to this, you know, and understand why you are providing that protection, that different control safeguards. Any questions? Yomi and Leslie, I'll touch you up on this one. We talked about DLP. You can also talk about as part of the control is putting data loss prevention control to do the following thing, right? So, it's about safeguarding our data. In our previous class as well, we talked about DLP. Let me see, sharing my screen. We talked about DLP, data loss prevention, yeah, data loss prevention to safeguard our data. So, for the scenario we talked about, the scenario we talked about, the program we are working on is Data Governance, Data Protection, and Data Privacy. That's the program we are working on as a team now. We have looked at all our systems. We have looked at all our data. I think the last assignment I gave was on data flow to say we need to understand our data flow for each of the systems. It's in the data flow diagram to say, okay, I have chosen a CRM, for instance, customer relationship database. How do we get data in the CRM? Are we collecting it or we are creating it in the CRM? We use flow dot, I mean, we use diagram.net or draw.io to do that. So, we said we should use diagram.io to start. So, you can create this in the source collected and we showed us a sample for us to create that. Okay, we showed us a sample to say, okay, let's create that data flow. For instance, the customer is providing us a data, so we are collecting it. We collect it through maybe WordPress or a customer relationship platform. We store it for marketing purposes. We make sure we store it in our local database. From database, some data that are more than our retention period, we want to get rid of them. We don't want to keep data. The more data we keep, the more risk it is for us because if our contractor gets a hold of our data, we are going to pay. The more data he gets, the more money we lose. So, in sensing data, we want to follow the compliance requirement to make sure that those data are handled appropriately. So, some data will be archived into an archived database and some is going to be accessed from the database. Our CRM application will be pulling the data. So, the data is going to flow from user to the WordPress. It's going to sit here in the database. Sales teams are going to use the CRM application to pull the data and view the data. So, this is accessed. This is archived for destruction. This is where it is stored. So, our data is stored here. It's also stored here. Anywhere data is stored, we want to make sure that the data address is encrypted. Data moves from one component of the flow to the other. Make sure that they are all encrypted. So, I said we should pick a system among all the systems and do a data flow diagram. How do you think the data is going to be collected or exist? I hope that makes sense. So, those are the things. In the last class, if you are still home, now I'm just going to use this as an example. This has created a new entry. It needs to identify different data protection controls that we need to put on data to have it secure. We put them in different columns. You know, then she's going to pick one of the systems. We are going to pick one of the systems that we have highlighted and draw a data flow diagram. Feel free to choose anyone. What do you want to use? You want to use your diagram.net or draw.io. You can use this to draw for free and save it as a file. So, in our last class, we talked about privacy. Sandra, who is our privacy developer, took us on privacy. Because we said data is very important and privacy, I mean the privacy of our personal data, it's a law. It's not a law and we need to understand that so that we can advise our organization on how to treat that. I sent a video to some of us. I'm not sure if you're able to go through the video. Many organizations collect one data or the other from their customer to provide them service. I'm just going to recap. There are principles for handling personal data. So, we discussed this principle and we have to keep that. We have two. I'm going to talk about Canada just now. We have two privacy regulations at the federal level. I repeat, we have two privacy regulations at the federal level. The first one is the Privacy Act. The Privacy Act only talks about how the federal government of Canada is going to handle personal data that they collect. That's the Privacy Act. The second one is PPDA. There is a bill that is ongoing right now to make PPDA to be more strict, as strict as GDPR. GDPR is one of the, maybe it's one of the strictest privacy laws, maybe one of the most matured privacy laws in the world. So, Canada has a bill in the house now that wants to make the privacy of personal data, privacy of individuals in Canada to also be very strict. But for now, the federal is still using PPDA for private organizations. The Privacy Act for federal government on how they will handle personal data, but PPDA for private organization on how they will handle personal data is a law. Organizations that collect, I know some privacy law would have a threshold to say, yeah, if you're collecting, I'm not sure if PPDA has it. If you're collecting data from customers, 5,000 and above, you are obliged to comply. But if you are below, maybe not. I'm not sure if PPDA has that clause or not. Has anyone of you seen anything like that? Nope. So, one of the reasons why we are going to, one of the things we are going to do during our privacy is privacy impact assessment. The privacy impact assessment, we do it in our organization today. Cybersecurity and privacy team work together to ensure that any initiative or any new initiative, let's say the business wants to embark on a particular initiative as a result of strategic roadmap. I'm going to cite an example. Oh, we want to reach out to, let's say we are an insurance company. Telepalm is an insurance company regulated by us. We want to increase our client base or customer base or member base by 30% in the year coming 2024. And there is a strategy that I've been drawn to say, oh, we need to do a lot more for insurance for pets, insurance for people that travel, insurance for soldiers, you know, some products like that. If you have that strategic direction, it may come to heights and say a CIO, how are you going to enable us to achieve this goal? Then the CIO will say, oh, we're going to build mobile application. The mobile application is going to interface with the user and do all these things. Then the CIO will call development team together and have a project manager who is going to be in charge and say, oh, we are going to build this application. Then what we do is before the application is built, the private manager knows that there is cyber security and privacy. They need to look at this initiative and be sure that we are doing this in alignment with privacy regulation. We are also doing it in a secure manner. So, the project team, we involve cyber security and privacy. What we usually do is that we provide a questionnaire, a threshold questionnaire, to even know if we need to perform the assessment, security and privacy assessment on the initiative or not. So, there will be a threshold document to just get real information. One of the information is, oh, is this application that will be built, is it going to collect personal information? What is the sensitivity level of the data that will be processed, stored, transferred by this application? If anything is confidential or is restricted or we see that certain information is involved, then it means that it has crossed this threshold to say we have to perform security and privacy assessment. So, when we perform security and privacy assessment, we have to look at various things. Example, we have to look at the process for security. We look at it from security perspective, secure software development lifecycle. There are so many processes that need to be followed in the development of that application. When it comes to privacy, we want to ask so many questions about privacy, you know, and their questionnaire. So, I shared this, maybe not shared, I showed this, I showed one of the questionnaire in the last class to say, oh, this questionnaire is what we are going to use. So, Sandra will be using that questionnaire with us to complete that exercise. So, we are going to perform a TIA, as we call it. We do PIA and TRA for initiative. TRA is Trust and Risk Assessment, TRA, Trust and Risk Assessment, Trust and Risk Assessment of initiative. Then we do PIA, the privacy team will do PIA. Usually, we do that within projects, within our organization. But if you are bringing in a third party to go and do stuff for us, maybe in this initiative, there are assessments we also need to perform like TPRM, TPRA, TPRM, Third Party Risk Assessment, Third Party Risk Management. So, we want to understand the risk of the third party that they are going to be bringing to add to our own risk. Because we have our own risk as an organization, we have our risk threshold, we have our risk tolerance, we have done our risk framing. So, if you are looking for the organization to come and work for us to achieve this, that means we are inheriting additional risk. So, we need to know the inherent risk of that third party because we are going to be adding that to our own. If it's within our risk tolerance, then we are good. If it's outside, then we need to do some things. So, that third party risk assessment is also very important. But before we get to third party risk assessment, there are other processes, you know, making sure that we have gone through the contract, but we are going to do TPRM in this class. So, I'm just giving you a hint of what is going to happen subsequently. Now, let's come back to Teleplan. We are going to continue our privacy talk on Thursday. But today, let's continue our security program. Because we are working on we are working on data governance right now. We are going to look at different frameworks, what they talk about data governance. There are so many frameworks. I'm just going to scroll forward. These are 10 principles that we talked about of PPDAR. This is Sandra who is helping us. We also talked about different how policy becomes a regulation. We have somebody propose a policy becomes a bill. Right now, there is a bill in the Legislative Assembly about the privacy of Canada, Canadians. So, the privacy of not just Canadian, any Canadian or resident of Canada. I hope that English is correct. So, there is a bill going on. Now, organizations are beginning to learn about the bill. Because by the time it becomes legislation, it becomes a law, you don't have a choice, you have to comply. So, organizations that are proactive, they are also following the bill and putting things in place, right, before it becomes a legislation, before they created regulation out of it from a law. So, we talked about that the Legislation Act and regulation are created by government bodies, you know, standard framework are created by, you know, different bodies. We talked a little bit about different regulation standards and we asked questions that which one of these are these. GDPR, ISO 7001, PPDAR, CCPA, California, Zip Privacy Protection Act, Nigeria Data Protection Regulation, CSA. We asked questions and we all said we went through to see what they have. So, GDPR is for privacy. Sandra is going to talk us through this. But basically, GDPR is a privacy regulation. It is a regulation that is used by not just European Union countries, also any country that is within the European economic area. And these are some of the things that GDPR highlights as requirements. You know, those are some of the things that Sandra discussed with us, you know, last week. It's three o'clock, we take a 15-minute break. Yeah, we talked about GDPR, we talked about PPDAR. PPDAR has, you know, these requirements. Yeah, we talked about PPDAR briefly. Sandra is also going to talk about privacy. So, I'm not really interested in this one. This is California Customer Privacy Act, CCPA. California Customer Privacy Act, CCPA. Something is wrong with this CCPA. Is it Canadian Privacy Protection Act? Yeah, this is the new PPDAR. Let's see. Consumer Privacy Protection Act, yeah. So, this is the new CPPA. Maybe I'm talking on the wrong screen. Maybe it's already a law. I'm going to update myself. So, I don't really have a lot of information. CCPA, Canadian Online Privacy. I'm not a privacy person. I'm just including my knowledge in privacy. That's why. CPPA will empower them to issue order to non-compliant organisations. Accountability for enforcement. Yeah, I was going to say that. Well, this is for GDPR, for compliant GDPR. CPPA, 5% of revenue. Yeah, it's very close to EU privacy. All right. So, that's that. So, let's talk about, these are standard. We said standard is different from regulation. Regulation is different from frameworks. We said there are regulations. You have no choice. You have to be compliant if you are operating within the jurisdiction where the regulation is enacted. You have to be compliant. It's compulsory. We said standard is also compulsory. But as a condition to it, there are some standards. Maybe there are some standards that you, by yourself, you voluntarily say, hey, I want to be compliant with this standard. As soon as you say you want to be compliant, there's no choice. There are some standards that you have to, you don't have a choice if you are doing some certain things. Example is payment card data. If you have payment card data being processed, stored, transferred by any of your system, then you have an obligation to be compliant to PCI DSS. So, that is a standard as well. This is another standard out there, which is popularly called SOC, SOC, System and Organization Control, by American Institute of Certified Professional Accountants, yes, Certified Professional Accountants, CPA, sometimes CPA, yes, Certified Professional Accountants. Somebody can help me confirm that. So, AICPA, they are the one that is directing the affair and can issue SOC reports. So, what are the requirements that SOC will be looking out for when it comes to data governance? What are the requirements that a framework like NCSF will be looking out for when it comes to data governance and data protection? What are the requirements that maybe CIS Control will be looking at when we talk about data protection? I'm going to leave SOC because there's a lot we need to talk about around SOC for now. I will just show a little bit from, let me see if I have, okay, CIS Control, is not certified, Shattered Professional Accountants. I'm usually confused whether it is shattered or certified. When you are shattered, you are certified, right? So, we got CIS Control version 8 here on the screen. CIS Control, we don't have anything on, CIS Control has, I know some of my students, they love CIS Control. It's just very simple. If you look at the data protection section of CIS Control, so guys, some of the things you are looking for here, also have it on one screen. So, these are some of the data protection controls that you can put in place. Make sure you have established and maintained a process to address data sensitivity. Make sure there is data owner assigned. So, for some of the data that you have on your spreadsheet, you should have, maybe have a column and say, CJ is the data owner for this one. Peace is the data owner for this one. Test name, Jonathan is the data owner for this one. You have a data owner and the data owner should understand and know their responsibility. We have data owner, data handling and data retention limits. How long do we want to, you know, limit this data? Please feel free to make an assumption. How would the data be disposed? You know, put something in there, understand data disposal requirements, have sensitive, based on sensitivity, how the data will be disposed based on sensitivity, retention standard and things like that. So, these are some of the safeguards. And here, it talks about establishing and maintaining an inventory of your data. Make sure you have inventory, you have a data management process. Inventory of sensitive data, at minimum, you should also review it annually. So, if you have a policy that, you know, tell you what to do, you know, and also when to do some of them. It's saying here that configure access control, that's another safeguard you can talk about. Talking about access control, ensure that, you know, there is access control. Access control is based on this privilege. People are only given permission based on their role. Make sure there is local and remote files before people can access it. Whether it is application or database, make sure there is access control. Talk about retention. Retain data according to enterprise data management process. Data retention must include both minimum and maximum timeline. So, data should not be kept forever. Talk about how it is going to be retained. And also disposal, secure disposal of data. When you don't need data anymore, put a control, tell us how you are going to dispose them. Encryption of data, make sure that your data is encrypted at the disk level, or is encrypted at the file level. You know when the data is encrypted at the disk level, when the disk is taken away. Example is BitLocker. When the disk is removed from the computer, you cannot, somebody cannot have access to the data. However, if I'm able to log in into the computer and I can see the data in an application, I will still be able to copy the data away. So, as such, you have only encrypted the data to protect, maybe your data system is lost, somebody, you don't want people to see the sensitive information inside the drive. But the data is still at rest, maybe on your local file. If I'm able to log in, I can still copy the sensitive data away. So, what should we put in place to say, even though the data is at rest, we have disk level encryption. If the sensitive data, if an attacker breaks into our network, would they still be able to extricate it? Because they'll probably be connecting remotely, they won't come into our physical data center to remove a drive or want to take it away. So, we must still be able to do encryption at the file level, in the sense that when the data is copied away from the application, whether from the database, if it's copied away, it is meaningless, it is not useful, because the encryption key is not going to be available when the data is outside of the system. So, we must be able to do encryption, understand that encryption of data, especially for sensitive data, is very key. So, in this project that you are working on, if everything is confidential, you have to spend the same amount of money. The question is, all the data in that system, do they want you spending that money on them? Do they have the same level of sensitivity? The more sensitive, you know, you should implement your control based on your risk, right? Um, there is another one that says establish and maintain data, what time is it? 3.03. I'm going to start from here when I come back. I need to take a break for, let's take a break for 15 minutes. Let's take a break for 15 minutes. So, I've got some tools, you know, that I'm going to, I'll send us a link to that tool so that we can download and have a copy instead of sharing it here. Um, we'll see you back, see you again in 15 minutes. Hello guys, so if you're here, share me your names, type something, say hello, type hello, type yes, raise up your hand, let me see if you are, if you are okay. This is here, this is here, this is young here, this is Gerardo, are you here? Yes, I'm here. Okay, Golandia, are you here? No one is not here. Austin is here. Austin, are you here? Let's see here. Of course, I'm here. Awesome. All right, so, yeah, we jump right into assessing the data protection controls that we've got in CIS control, CIS control framework. We didn't really talk about CIS control framework, some of us are here, maybe, maybe, maybe for the first time, maybe not. I'm just going to talk about the data, we are going to complete assessment of, you know, I'll review the data protection controls in the CIS control framework. So, we're talking about establishing and maintaining data classification scheme, which some of us has already done before. An organization must have a way that they have classified their data based on their sensitivity level and in our class, we said governments usually classify data differently than private organizations. So, the institution must establish a classification sensitivity or level as it is labeled here, sensitive, confidential, public, internal, top secret, you know, different classification level and label the data. There's one thing to classify and not label the data, there's another thing to classify and label data with their classification level. Yeah, Mr. Jonathan, go ahead. Yes, what exactly are we doing? So, I don't have, I'm confused. Is it in the assignment? No, this, this, yeah, what we are doing presently, so what exactly? So, we are doing right now, okay. Yeah. We are working on data governance, data protection and privacy program and initially we have talked about systems, the data that are in those systems, we have identified the systems which we discussed and we have talked about the data in those systems and I gave you guys an assignment to provide security controls on how to safeguard the data that you have identified. Please share that screen. We saw the systems, we saw the different type of data, you know, those that are contained in those systems holds PI, PHI, you know, and PCI, some of them, and ICIQ. What, how do we ensure that we protect those data? What are the different type of protection mechanism that should be applied to different type of data? And these are the protection mechanism, these are S4 that are provided for you guys now to be able to, you know, do that, your assignment going forward. Is it making sense? So, I said that for us to see the safeguards, like the security controls to apply to protect our data, if we look at different frameworks, we will see what they have to say. This is a framework, if you look at different standards, if you look at, you know, maybe regulations, some of them are saying how you should handle your data, the controls to be provided, you know, on the data. And CIS control because I have it open here, and we are just looking at the data protection section in CIS control. CIS control is a framework. In this framework, these are different requirements. By just jumping into the data protection section of the CIS control, so that you can have the information you need to complete that section of your assignments. Does that make sense, sir? Yeah, thanks. Okay. So, there is this first control, you know, we picked up CIS control, and if you are doing another program, we are going to pick another framework or standard randomly and see what are they saying, but this is just the first one, right? So, we said, yeah, go ahead. Are you saying that for the assignment, sorry, are you saying that for the assignments in this safeguard security control section, that we should use like any, we should use the CIS sequence as like our example? Yeah, use as a guideline to provide, yeah, use as a guide. You say, okay, yeah, they're saying we should log, one of them says that we should log assets to sensitivity. That is a control. It means I want to see who's assessing the sensitive information, you know. It's not just copying and pasting it, you know. Just understand that, because you are going to be doing, you are going to be doing security assessments. You may be third party, you may be within your own organization. You want to know how the organization or third party or you guys are handling data within the organization. So, these are different controls. I'm going to ensure that sensitive data in transit is encrypted. These are options. I'm going to ensure that encryption of data at rest. These are things we should do. We need to make sure that data are segmented while they are in process, you know. How does that make sense? So, as part of the control, you can see, where are we? I changed, let me see, okay. We talked about this label in ensuring that our data are going to be classified. We also said classification of data. Let's say documents can be labeled, you know, with watermark and say confidential or footer or header and say sensitive, you know. We can label it a particular way. And DLP, Data Loss Prevention Solution, I sent us a video on one of them. Microsoft is a popular tool. Microsoft has data DLP tool that can help you to, you know, to automatically label your data. You can tell Microsoft to scan your computer, scan your server, scan your file server. It's going to scan it. We call it discovery process. It's going to discover the sensitive data. All these two already have, I will call it algorithm. They already have a way of identifying credit card number, identifying email address, identifying house address, identifying people's username and, you know, and things like that. Any PI information. So, they will scan the environment and say, hey, CJ, these are the locations you have sensitive data. These are the locations you have sensitive data. Are you sure you want to keep them? Do you want to clean them up? Then you can begin to clean your data up because if you don't have sensitive data everywhere, you should have them in a place and make sure that they are properly safeguarded. Are you following? Any questions so far? Are there any questions? Okay. All right. I don't have control. You want to say something? No, no, no, no, no. I have no question. I'm following you. All right. Nice. So, 3.8 says that we should document our data flow. Why do we need to document our data flow? If we don't know how our data flows, sometimes we don't know that we are actually sharing sensitive data to a third party. We don't have a data flow diagram that says, oh, this is how this data is originated, whether we are creating it or we are collecting it. And this is where it is stored. From this location, this application will come and fetch it and maybe send it to somebody else. If we don't have that data flow diagram, we may not be able to, we won't have visibility of how data is leaving our environment or it can leave our environment. So, data, we are advised to create a data flow diagram for sensitive data and make sure that we document that and make sure we update this annually or when there is a significant change. Next one is encryption of data. So, the use of removable devices poses a significant risk to organizations. If you copy sensitive data into maybe external hard disk or thumb drive and you travel and you lose it, somebody has access to that sensitive device. So, we want to ensure that any drive, any flash drive that will be used to copy sensitive device is encrypted so that when you lose it, anybody that gets a hold of it won't be able to see the information really in the flash drive. And we already talked about data encryption, address and transit. And also, there is a requirement here or a control here to segment data where they have been processed or where they are stored. You should be able to ensure that data with level of sensitivity are kept in the same area. Don't process public data on the same system where you have very sensitive data. It doesn't make sense. Make sure that you segment them. Implement data loss prevention, DLP. Implement an automated tool such as host-based DLP and network-based DLP to identify all sensitive data stored that is processed or transmitted through the enterprise assets. So, most organizations don't implement DLP. DLP is just an application, just like an agent is going to be installed on your computer. That is a host-based DLP. When it's installed on your computer, any user in your organization that uses that computer, they won't be able to just copy or misuse sensitive information because they are being monitored. Right? Does that make sense? Are we good, guys? Yes. Okay. We are saying DLP, if it's installed on your computer, is just like any application on your computer. You may not, depending on what DLP admin has configured, if you are trying to copy sensitive from your computer to your flash drive, you may say, oh, this data cannot be copied. If you want to send it to a printer so that you can print it out, you may say, no, this cannot be printed out. If you want to upload it to your Gmail account or you want to upload it to your Google Drive, you may say, oh, no, this cannot be done. So, a DLP is going to not only scan the network to discover where sensitive devices are, it can also control the flow of sensitive data within your environment. Lastly, CI's control has 14 sub-controls. It says that it will log sensitive data, including how, when it is modified, and who is disposing it, who is assessing it. Make sure that you keep the log so that you can always do an audit of who is assessing the data, if they have the need to know before they assess it. Make sense? Sure. Sure. Nice. So, that's data protection. So, let me now talk about this CI's control. CI's control is one of the frameworks that is out there. I don't want to say it's a good framework. It's very simple, straightforward, but it has limitations. So, these are some of the things you should know. CI's control has limitations. Number one is a technical control. It is what? It's a technical control framework. The technical control framework in the sense that it focuses more on technical, technical, technical. You know, we have different types of control. We have testing. You can remind me if I didn't mention some. We have administrative control. We have physical control. We have technical control. Which other one do we have again? Are you still there? Okay. So, yeah. So, we have those controls, but this guy is mainly focusing on technical control. He has left physical control. He has left administrative control. What are the administrative controls? Governance. Governance is very key. To even implement all this technical control, you need to have a good governance in place. You must have good leadership, cyber security leadership, good risk management. You know, you must put a structure in place, but CI's control has nothing about governance. It doesn't have anything about privacy. It's silent about privacy. Privacy is key. Although it talks about data protection, but it does not talk about data privacy. Data protection is different from data privacy. Cyber security has to do more with data protection. Data privacy is a different thing which we started talking about in our last class. It talks about how the data is collected, how the data is used, you know, the right of individual. But this guy is silent about it. Risk management. He didn't talk about risk management. Although if you implement the technical controls, it's going to reduce your risk. It's going to reduce your risk. It talks about risk assessment, but it did not talk about risk management. There are two different things. So, he's saying that we should do penetration testing, we should do vulnerability management. All of those, we are doing it to assess our risk and identify it. It did not say about third-party risk. Okay, it did say something about vendor management, you know, but it did not really talk about the TPRM, third-party risk management. So, these are some of the deficiencies that it has. It doesn't talk about, you know, risk framing, understanding the necessary risk management generally. It's silent about it. Governance, privacy. Yeah, those are the basic three things, right? It didn't say anything about physical security. So, it has that deficiency. But guess what? It is one of the recommended control frameworks that you should implement when you are starting a baby step in cyber security. I say that again. You are starting a cyber security program for an organization that does not have any cyber security program at all in place. It is possible to quickly do some stuff, put some things together. You know, CIS control has helped you to group the control framework into three. IG1, IG2, IG3. Implementation group 1 to 3. Implementation group 1 says that if you don't have, if you don't do anything at all, just do this one. The IG allows you, helps you to prioritize the implementation of all this control. You will see that in this implementation group 1, you have 1 and 2 just to control. Out of the 5, it's saying that if you don't have a lot of resources, you know, give this priority. Just do an inventory of your hardware and do an inventory of your software. Know what you have. Finish. Yeah, please do this one. If you don't have more resources, then you can prioritize this one. Then if you don't have more, then do everything. So that means IG1, IG2, IG3 is there to help you prioritize how you are going to approach implementing the controls. Are we together? Another key thing you need to know about CIS control is that it is SANS. I attended SANS training. They told us that it is a control framework. Control framework means that it is good for starter, like I said. They cited an example. You know, I said SANS, you know, if you, SANS is a very good training institute, so I recommend them for you. I'm talking about what it taught me, what I learned from them. I'm sharing with you guys. I'm not sure if this is infringement of intellectual property or not, but it is a trained trainer thing. So they said CIS control is a control framework and other matured control, I mean other mature framework or standard, they refer to them as program framework. They say control framework and program framework. So control framework, this way you are taking every step. When you want to mature, you know, cyber security programmer, we recommend other framework like NIST CSF. NIST cyber security framework is matured, you know, it talks about all of these deficiencies that are identified here. Also, ISO, ISMS, information system management, ISMS, information system management, no, information security management system. I'm bad at acronyms, so I may struggle initially, just know that. Yeah, just give me one second. Hey guys, just give me two minutes, I need to pick something. Somebody's on the phone. So sorry guys, I'm a delivery guy in my house. I needed to sort that out. So we're talking about CIS control framework. Are we good? Are we all here? Hello, is my mic working? Yes, we're here. Yeah, sorry for the breaking transmission. So I was saying that CIS control lacks those, I think three or four things. I only talked about three things. Governance, risk management, privacy, yeah, maybe one more, I can't remember the fourth one. And so that's one key, some key things that you need to understand. So it has, you can see column A says that CIS control. I see one, one, one, it has 18 controls. We need to know that, we need to know that of us. 18 controls, control number one is the blue one, inventory of, I just say enterprise assets. Then second one says inventory of software assets. Okay, let's see, inventory and control. Don't just, don't just list them. You also need to apply the necessary control. Inventory and control of enterprise assets. Inventory, the second one is inventory of and control of software assets. So if you are using this framework as a guideline for cyber security program, these are the program, these are the sub program you are going to be working on. I'm going to create policy or procedure for this guy. And yeah, we should do an assessment basically. So I'm going to do a separate assessment based on this and I'll teach you how you can assess an organization based on each one of these and tell them the level they have, what level they have. Okay, so using this, you see we have inventory of software is control number one, control number two, inventory of, sorry, inventory of hardware is first, so inventory of software is this one. Control number three is data protection. Control number four is secure configuration of both hardware and software. Both hardware and software does the hardening, making sure that these are configured properly. I've said it maybe in this class before, maybe not in this class. CIS has a benchmark. They have a tool called CIS benchmark. It can tell you how everything that is ever for people, we will not say everything, most infrastructure, server, mobile phone, operating system, most infrastructure, CIS control benchmark, they have it and you can use it as a guide to assess any system. I've done an assessment for, you know, an organization before and we are going to use some infrastructure that I don't really have experience in. For the majority of the other things I've got experience in, I needed a tool that will help me, guide me on how to assess those things and I went on CIS website to download a benchmark. For that device, they are going to tell you what configuration should be done and why. If you check the system, you can just tell the issue, can you show me where you have configured this facility? They show you or show me the way you have configured, why? They show you and it's not in alignment or it's lower than what is recommended by CIS. You know, help the organization to configure that system and the command or what to click to make it right, they are there, is so good. So, hardening devices, hardening software, hardening operating system, CIS control benchmark documents will give you that. So, for what they are recommending is, they are saying that you configure your system properly. So, that's number four. Number five talks about accounts management. Accounts management for system, make sure that you have accounts that is inactive for maybe 90 days or 45 days. Make sure the account has multi-factor authentication on it. They said here, they didn't say you should be changing your password every 90 days. As some organizations do, you ask them, from what basis does it come from that you have to change password every 90 days. You can't tell them to receive best practice. So, what I'm going to say is that what CIS control is recommending that you should make sure that you use minimum of eight character for password that is going to be using multi-factor authentication. If you are going to use MFA, that's a minimum of eight alphanumeric character. But, if you are not going to be using MFA, it should be a minimum of 14 character. So, if you read through this document, if you don't have access to this document, please let me know, send it your way, so I can go through it. You can see accounts will be disabled. So, the fifth control is account management. I didn't intend to explain each one of them. That just got my attention. The sixth control is access control management. So, some framework will combine account management and access control together, because those are the two that makes the I for identity, A for access management. So, CIS control broke them down into two. The seventh one is continuous vulnerability management, making sure that you are looking for your vulnerability and you are doing something about it before the bad guys identify it. So, our next, okay, no, in technical class, we're going to be doing vulnerability management next week. Yeah, application vulnerability management. What else? Number eight, log management, making sure you are keeping log of all your system, so as to detect and recover from cyber attack. Number nine, email and browser protection. Configure your email properly and make sure your browser is configured properly. Number 10, malware defense. Make sure you have antivirus and protection system on your computer. Number 11, data recovery. You know, this is another good thing to do on data protection. Make sure that you can recover your data from backup, test your data. Network management. So, all these different, if you're using these, you're going to create, so we have 14, network monitoring and defense. This is where you have your same solution that better log from different systems, alerts your monitoring team and your cyber security operations center gets into action to stop the attack if there is anyone that is happening. 16 is security awareness. 14 is security awareness. 15 is service provider management. 17 is application security, application software security. Sorry, 16 is application software. 17 is incident management, and the last one is penetration testing. So, CIS Control has 18 controls, then 153 safeguards. So, if you count all these, under control, we have safeguards. So, this is Control 1, Safeguard 1, Control 1, Safeguard 2, Control 1. That's why we have 1.3. So, if we count all these safeguards, it is 153. So, in summary, for CIS Control, it is a control framework. It is good. It is a technical framework, purely technical framework. It is good for, you can use it. It is good for organizations that are just starting cyber security, but you have to augment it with other administrative controls. There are 18 controls, 153 safeguards. It has three implementation groups. The implementation groups helps you to prioritize how you are going to implement all the controls. This is important, not important, most important. That is the summary of CIS Control. This document is available for you, and I tell you whether you are going to be doing technical or non-technical, you should understand all these controls, because by the time you start going into risk assessment, you will be talking to people, and you may have to, you will be talking to people to do an assessment, and you may, excuse me, you are talking to people that want to do, I want to send this thing to you guys here, but it looks like I can't attach anything. Talking to technical guys, and if they don't understand what they mean by some of the things they say, then you get lost easily. Any questions before we go? How did you get this? Is that one of your questions? No question. Can you please send it to the group instead? Yes, I will send it to the group, but I will send it to Dave first. All right, you guys, no question. Yeah, we are going to call it a day, but before you go, two outstanding tasks that are awaiting us. One is making sure that we have data protection control to the spreadsheets, and the second one is to pick one of these systems in the least and create a data flow diagram. That was good. Those are the two items we have got for you between now and next class. Our next class, we are going to be getting another assignment on privacy, so if you are not doing this, you are piling up things, so please, you are still going. Okay, so what's the assignment, please? Yes, please share your spreadsheets. Let some of us that are just joining, that was good from there. Thank you. Share your spreadsheets, send it in the chat. Let me have this. Don't send it yet, okay? Do I share it on WhatsApp or here, because it's easier for me to share it here. See, please can share, I cannot share. Share it in the WhatsApp group. Okay, so you said the assignments. I am giving two assignments from this spreadsheet that is going to be uploaded in our GRCC chat group. As part of the scenario that I pasted earlier, I think I might need to do some editing on that scenario so that everything can gel properly. So, what I was saying is that from that scenario, we have identified a list of systems. That list of systems is going to be contained in the spreadsheet that Peace is going to share with us. So, in the spreadsheet, there are columns. We need to add multiple columns for different types of data protection controls that we want to apply to those different data based on their sensitivity level. I was wondering why Peace is going to do data encryption as REST for public data. The data is public, who cares? It's up there, anybody has access to it, why should you care about encryption of data? You are wasting resources. I want to see how you are thinking about it from also cost-saving perspective. You are not just bombarding everything with high level. If you are saying, oh, somebody needs to log into website and needs to do MFA, why do you have to log into websites and somebody has to do MFA and authenticate? That doesn't really matter, right? So, that spreadsheet, we are going to tell us different controls, data security or data protection controls that should be applied to secure them. Then, the second one, you need to pick one system among all the systems and draw a flow diagram. Think about a system like customer portal. How data is going to come from customer is going to be stored in the customer portal database. From there, who is going to be assessing it? How is it going to be flowing? Will sales be using it? Will marketing be using it? Draw a flow diagram. Use draw.io to draw a flow diagram or use diagram.net, which is the same anyway. Even if it is a Word document, use the shape and arrow to draw it, that's fine. I just wanted to put something together. You can create a different sheet in your spreadsheet, a different tab rather, and paste your diagram so that you have all this data protection stuff in one place. After privacy, we have less data moving to other programs and continue from there. Sounds good, everyone? Yeah, if you have, if you need any additional clarification, please. That data diagram, I tried to do it. It was not working out for me. I was just confused. Which one are you doing now? Which one do you want to do? The simplest one. One, two, three, four, five. Pick five columns. Can you draw five columns like this? Yes, I can. If you draw five columns like this, where is the data coming from? Personal data now. Which one do you say is the simplest one? I feel like copy to websites. Copy to websites. Okay, the data on it is public. We don't need data flow for, we need data flow for sensitive data. Because it's public, it's not sensitive. We need data flow for sensitive, something we want to track how the data move in our environment. So, pick one that has PHI and PI and think about how organization is going to get data. If they are going to create it by themselves, if it's personal data, that means they will get it from their customer like this. Who was they are going to get it? Maybe it's a web form or something. You can type web form here. Then, where is it going to be stored? Think about where a data will be stored in an organization. It will be in a database like this. Just draw an arrow how the data is flowing. Who is going to be assessing? Think about who will be using this data. Typical example, use your organization. Let's say employee data. It can be HRMS now. You take HRMS, you'll be able to say, okay, they are going to share your data. Your company will share your data with your bank. You will say, oh, these people are sharing data with external because bank is going to pay into your account for the job you do. You will put external party. In fact, there should be another column here for external. This does not have external. Or, access, you can put here. Just think about the data. Who is going to have this data? How is it going to be shared? How the data will be flowing? Data is going to move. You can even go to legal. You can go to police in case something happens. Just think about it. Do something. There is something we call agile. Don't get your mental picture in your head. Start something. I saw what Mr. Jonathan posted. I have not reviewed it. I like it because it is starting from somewhere. Agile, then you improve on it. I am also looking forward to yours. Please, don't forget to share it. Are we good for now? Yeah, I am trying to. Are we good? Yes, we are. Good, good. Awesome. So, the scenario is what you shared. You already shared the scenario for the assignment, right? Yes, I can also paste it here again. The scenario that is, how do I put it now? It is like the basis of how we got to where we are. That is what we are doing. In this class, we are actually working as a cyber security team. I am going to paste the scenario here. Maybe I should rework the scenario and just put it here. We are working as a cyber security team. I shared it in the class and I will put it again in the water, but I am supposed to maybe correct it. So, I am just going to paste it here. Maybe there might be some grammatical error or something in there. I am just trying. My head is full now. I can't even correct anything correctly. So, I am just going to take some walk around, take some walk and come back and play soccer, come back, stretch a little bit. Everybody good? All right. Yeah, feel free to call me for clarification. I am more than happy to speak with you. Don't call me now. Give me like two hours or three hours before you call me because I might be on the soccer field. That's good. All right. Thanks, guys. Thank you so much. Peace. You are welcome, Will. Thank you. Thank you. Yeah, bye.