[MUSIC PLAYING]
Hello, team.
Good morning, good
afternoon, good evening.
And today we are
going to discuss
about CISA exam review, Domain
5, Protection of Information
Asset.
I already made one video on
domain 1, part 1 and part two,
and I got a great
response on that video.
And based on that, I
thought, let's continue
the series of that session.
And that is why I have
started with the Domain 5
first because lot
of CISA aspirants
are bit struggling
with the Domain 5.
So with that state of mind,
I am making this video.
If you are new to this
channel, do subscribe and click
on the bell icon so you should
not miss any of my videos.
And my name is Prabh Nair.
For more information, you can
refer my LinkedIn profile.
So let's start with
the first part.
OK.
The first part in this video,
in this particular session
or in the Domain 5, we have
information asset security
framework standard
and guideline.
So when you're talking about
industries, many industries,
they basically use standards.
They use frameworks
to build some kind
of a controls and governance
in the organization.
One example, we have
a PCI DSS, which
is used as a standard
for all organization
to process the payment cards.
So this is the example
of industry standard.
But compliance is not
required by the law
because it is just used to
achieve the defined objectives.
Then we have some standards
are found in many industries,
including a health care,
accounting, audits,
and telecommunication.
In some industries, such
as electrical power,
regulations require
compliance with the standard.
And to meet the
requirement of a standard,
framework is often used to
describe how the organization
can achieve the compliance.
Let's take an example.
If you talk about
one scenario here.
Every organization always
start with the strategy.
They create a strategy.
Strategy is called
as a long-term plan.
And then that
strategy is further
split into the tactical plan.
And then we have a
operational plan.
Now when you're talking
about this strategy
was created to meet
the GDPR requirement.
GDPR is a data
privacy regulation EU.
Now I have a company
in Kerala and they
need to comply with the
GDPR definitely because we
have some employees--
we have some employees here
who are residing in Kerala
and they're trying to access the
data, which is based out in EU.
And definitely, if you're
trying to access the data of EU,
you need to comply with GDPR.
So that were clear the
GDPR we need in the system.
But the question is
that, what controls
we required by which we can
able to comply with the GDPR?
So first thing what we did
we introduced the framework.
In Hindi, it is called dhaancha.
In English, it is called
as a structure, which
talk about the necessary
practice and procedures,
which required to achieve
the define objective.
Here, I want a privacy
system by which
I can basically compliance
my people process
technology with GDPR.
So I want a privacy
management system.
So we found some frameworks for
the privacy management systems.
And they basically have
a process and practices.
So one of the
process in practice
they say that, OK,
every system required
to be protected
with the password.
So they give me
one kind of freedom
that, OK, I want a
password in the system.
But now the question
is that, should I
go for a specific practice
and process, which
is given as per the
framework, or should I
go for any kind of a industry
standard for a benchmark?
And there, we basically
introduce the standard.
Now as per the ISO
27001, they say
that system must be protected
with the password with the eight
character.
So this is something is
a matrix we introduced.
So that is why we say
first we introduce
a framework, which helped
me to build the structure.
Same like when you
are building a house,
you first design the house.
Here, I need a balcony,
here you need a first floor,
here we need a second floor,
here we need a third--
Sorry.
We need a first room, second
room, third room, and then
we decide we need
a bed in each room.
So this is as per the design.
But what is a standard bed?
What is a standard sofa?
What is a standard
door we required?
So we used to say that
it should be ISO 9001
or they have their own standard.
So standard was
basically introduced
to measure the effectiveness.
Standard was basically
introduced to set the benchmark.
So whenever we are
building any kind
of a system in the organization,
first we adopt the framework.
The framework comes with
a practice and procedures.
And to enhance that
practice and procedure,
then we can go for the
specialization standard.
In this example, I want
to comply with GDPR.
I want a privacy system
in the organization.
So I adopted one of
the privacy framework.
Now, in that privacy
framework, one
of the practice and procedure
is must have a password.
Now I have a two choice.
I can create my
own password, which
can be used because
framework can be modified
as per your business objective.
But if you basically adopt
the standard because ISO
claim you must have
eight character password.
So eight character
is a strong password.
And tomorrow, when I claimed
in the industry that,
yes, I am a ISO 27001 certified
because I am following
their particular standard.
Same like CISA, you
are pursuing just
for knowledge that
is a framework.
But in CISA, you need to
read those stuff also,
which is not relevant
to your profile,
but that is required
for the exam
because tomorrow you
are going to use CISA
as a name standard in your CV.
So that is why in the Domain
5, the most important element,
you need to know the frameworks.
So that is why in the Domain
5, the Domain 5 itself,
starting with the auditing, the
information security management
framework and ultimate goal of
information security management
framework is to reduce the
risk to an acceptable level.
So we have a NIST
framework which
talks about the
best practice, how
to achieve the cybersecurity, or
how to achieve the information
security in the organization.
Let me show you the
document, how it look like.
So this is the document
we have for the NIST.
If you can see that, they have
organized the entire process
into some categories, like
identifies where they are
talking about we
need a governance,
and what is required
in the governance
they talk about these
are the practices.
And if you want to set
any kind of a benchmark
against something, you
need to claim we have
a respective controls also.
So you can see here.
Then if I zoom it--
now, if I join one
company and where
I want the information security
as a system I want to introduce.
So I can refer this NIST
framework based on my knowledge,
I can go by step
by step process.
They say, OK, as per the
framework control one,
you must have an
asset management.
Now in this case,
what is a subcategory,
like physical device and
system within the organizations
are inventoried.
Software platforms
and applications
within the organizations
are inventoried.
Organization communications
and data flows are mapped.
External information
systems are cataloged.
Resources are prioritized
based on the classification
criticality and business
value, and cyber security roles
and responsibility for entire
workforce in third party
establish.
Now they have a specific
controls for that in detail.
So for that, we can
refer the standard.
So standard was introduced
to measure the effectiveness.
So this is how we
can basically adopt
any framework I can basically
scope as per my business
requirement by which
I can eliminate
the need for implementing
this entire framework
and tailor it as per
my business choice.
So this is what we called as a
information security framework
or cyber security framework.
Now coming back, so in
Domain 5, the first part
we talk about audit the
information security management
framework so you can adopt
any kind of a benchmark, which
is approved benchmark
from the organization.
And based on that,
you can assess.
See, when we're talking
about any governance,
policy is the foundation
for any governance.
What is governance like?
In order to manage kids at home.
That is your governance.
Manage country, run
country's operation.
That is a governance.
So governance is
a-- governance is
an important part of the
organization and policy is
the foundation of governance.
If I say policy, policy is
the management statement.
Policy is the management intent.
Anything they want to
enforce in the organization,
they create a policy for that.
Example like every system must
be protected with the password.
So it's a policy.
Password must be
eight character.
Now we introduce as a standard.
Standard is a tool by which
we enforce the policy.
And how to create step by
step eight character password.
That is a written procedure.
Procedure always in
detail in nature.
So policy is
strategic in nature,
standard is tactical in nature,
and procedure is basically
operational in nature.
We create a detailed procedure
which is easy for people
to understand.
Now next thing is called as a
security awareness and training.
Now let me explain the
different-- thin line
difference between the
awareness, training,
and education.
Awareness is a short term.
I was in an impression that,
OK, eight character password
is a secure password.
So I was using a 12345678.
But when I attended any
awareness workshop which
modify my behavior and now I
get to know eight character
should not be only numeric.
OK, so I start using a
alphanumeric and spatial.
So that's something
modify my behavior.
The question is that how to
measure the effectiveness
of the awareness training.
By reviewing the
number of people
participated in the
awareness program?
No.
As an auditor, I
can able to evaluate
the effectiveness of
awareness training
is by seeing the number
of incidents reported.
Let's take an example.
Last week, we have conducted
the awareness workshop.
And at that time, we had
70 incidents was reported.
And this week, 140
incidents has been reported.
It means people are now more
aware about the incidents.
So always remember
the way-- in order
to measure the effectiveness
of awareness training
is increase in the
incident reports
and decrease in a
security violation.
So awareness modify
the behavior.
Training modify the skill, and
education modify your career.
Like doing a CISA
training, serious training.
See some training is a
part of a training which
modify your skills.
But annually you are
attending any college program
that is called as an education.
Another important thing
that you must be familiar
with that, which is called
as a data ownership.
Data ownership.
So data ownership is another
important thing we have
that you must be aware about.
In data ownership,
like data owner
is the one who ultimately
accountable for the data.
So whenever you
classifying any data,
you basically speak
to the data owner
only, because data owners are
best positioned to tell you
the value of the data.
The next important
thing is called as a--
yeah, can we transfer
the data ownership?
No, you can't transfer
the data ownership.
So on behalf of data
owner who manage
the data is the data
custodian because he
is responsible for storing
and safeguarding the data.
OK, like system analyst,
computer operator,
database operator, they are the
ones who are the data custodian.
Let's take an example.
I am the business owner.
I produce one data.
I bring more data
in the organization.
Now I have a IM team,
I have a database team
who manage the data
on behalf of me.
I will say, hey, Eric.
Please maintain my data.
So here the Eric will maintain
the protection of the data,
but he will follow
all my guidelines
according to that only
he protect the data.
I will clearly tell
him, see, this data
is basically based
on EU customer
so make sure you should
protect effectively.
So here I am a data
owner who instruct him
that this is the EU data.
If something goes wrong,
he going to question me
and it is a difficult-- it is
difficult for me to answer.
So here, the database
administrator,
based on my guidance,
going to protect the data.
So data owner one is the
one who value the data,
and data custodian--
data custodian manage the
data on behalf of data owner.
The third is basically called
as a security administrator.
Security administrator is
another important position
we have.
He is responsible for providing
an adequate physical and logical
security for the
information system,
and also providing a security
to the data and equipments.
So his role is more like a
implementer kind of thing.
Example, firewall administrator.
OK.
VAPT guys, control implementer.
These are basically called
as security administrators.
Then we have a new IT
users, the one who basically
join the organization.
Make sure they should read and
agree to the security policies,
keep login ID and
password secret,
create the quality
password, lock all
the terminals for the IT users.
Next is we have a data users.
Data user example
like the IT users
who are creating a data it is
accessed by the data user only.
I have a team who create a data.
OK, now you are basically
the one who review this data.
So you are the data user.
So the responsibility
regarding a security
and to be vigilant
regarding the monitoring
of the unauthorized
people in the work areas
and comply with the
general security guidelines
and policies.
So data users include the
external and internal user
communities.
Next, we have a
documented authorization.
So data access should be
identified and authorized
in a writing.
So as an IS auditor,
you should review
a sample of the
authorization to determine
if the proper level of written
authority was provided.
Example, I am an auditor.
I am going for an audit.
As per the audit, for this
kind of a permissions,
we need an approval from
the senior management.
So we will ask for the
sample of an email which
can confirm that
you are authorized
to access the document.
And the similar pattern you
can get in a CISA exam also.
Like you are an auditor.
You have discovered that some
access has been attempted
to access specific files.
Now how to verify.
What is the next step?
The next step is we will
request for those exceptions.
We request for
the email exchange
which say that, OK, you're
authorized to access
that particular documents.
Next important thing we call
that the terminated employee
access.
See, whenever any employee
leave the organization,
we don't delete his account.
We disable the account.
The first step is notify
all the Department
and the second step
is revoke his access.
But the question
talking about what
is the best action that we have
to take against the terminated
employee, the thing is
that revoke his access.
Termination is two-type:
voluntary and involuntary.
Voluntary termination
when employee resign,
and involuntary termination
when company say ask to leave.
But during this process,
during a termination process,
IS auditor need to review that
any terminated employer is
having access to the
system, and that is also
one of the biggest concern.
If terminated employee
already left the organization
and he still has access
to the organization,
then it's the biggest concern.
So from an exam point
of view, remember
this is one of the
biggest concern we have.
Whenever we implementing any
kind of a control, security
baseline we have to follow.
What is baseline?
Baseline is a minimum
level of security
that we need to
follow in the system.
Let me explain you
with the reference.
Now I want a baseline
for my organization.
OK.
So I want a baseline in--
So like-- example like--
I want a baseline
for my system so--
for my systems.
Baseline mean minimum security.
I want a baseline like password.
I want a baseline antivirus.
And I want a baseline called
as a security solution.
OK.
So this is basically
the baseline one,
baseline two, baseline three.
So example, we have a system
1, system 2, and system 3.
So in a system 1,
password we require.
That is a minimum thing we
need in the organization
in the system.
Now, question is
password is required.
I agree.
Now here I can refer a standard.
OK.
Can we go for the
eight character?
Yes.
And then we decide
the procedure.
So if you notice, I started
with the baseline of the system,
like I want a password.
Is a minimum I need a
password in any system.
I want antivirus and I want
for the system security.
Now with the
reference of password,
I decided I will use eight
character as a minimum password
in the system.
And then I will create
a detailed procedure
how to do that.
So baseline come with the
standard and procedure
policy come with the
standard and procedure.
So you must be familiar
with the security baseline.
And whenever you
conducting an audit,
you can adopt the baseline.
As per that, you
can able to conduct
the audit in the organization.
And any kind of a deviation you
identified from what is agreed
and what is there, you can
document that as a finding.
So what is the best
practice we follow?
So standard for security may
be defined at a generic level,
then for a specific machines,
or for a specific application
system.
So let's move to the next part.
Next section is a very important
section in Domain 5, privacy.
First of all, let me
explain you the difference
between the privacy and secrecy.
Privacy deal with the
individual and secrecy
deal with the organization.
That's why in the
organization you
have seen the top secret,
secret, and all that.
See, when the law
was introduced,
law introduced to protect
the interest of the people.
Now in different,
different business sectors,
we have different industries.
Example, in India, we have
a food, we have a insurance,
we have a bank.
Now, if you want to start any
kind of a insurance business,
I need to comply with the IRDA.
So what is this?
This is the agency.
This is the
regulation authority.
And similar thing,
if I want to start
any kind of a food
services, I need
to be comply with the FSSAI.
So regulation
authorities are basically
introduced in every country to
control a respective industries
and to make sure that business
should be comply under the law
parameter.
Compliance is nothing.
It is all about act of abiding.
So privacy is the
utmost priority
in every organization
because directly
map with the individual.
So privacy significant
aspect for the IS auditor
also, especially in the light
of the global regulations,
such as GDPR.
GDPR basically is a national
privacy regulation of EU,
but US does not have a
national privacy regulation.
They have an industry-specific.
Example, they have a--
for the health sector,
they have a HIPAA.
For the finance,
they have a GLBA.
So this kind of
regulations we have.
So to understand what is
the level of privacy we need
in the organization or what is
the level of privacy control
we need in the systems, we
perform the PIA, privacy impact
assessment.
And based on that, we implement
the privacy management system
in the organization.
So what is a good practice?
So if I say my organization--
OK, if I say my
organization need
to be comply with GDPR, example.
So I need to comply
with the GDPR.
So what I need to do first
is I need to create a policy.
So by the policy, I can
comply my people, process,
and technology to
be with the GDPR.
How?
See, I cannot go to each and
every individual and process,
and technology and explain
about the GDPR articles.
So what we did, we include
the GDPR information.
So we translate the
GDPR information
as an intent in the policies.
And then I enforce the
policy in the organization.
So where people process
technology need to be comply.
So by comply with the
privacy, you automatically
comply with the GDPR.
So this is how you can able to
bring the privacy best practices
uniformity in the organization.
That's why we say
policy is the best
tool to be compliant with
any regulatory requirement.
And that is why senior
management intentions
comes in the policy only.
So privacy has some good
practices that must be follow,
like private data should
be collected fairly
in a open, transparent manner.
So if I say this organization is
following the effective privacy
practice or they have a
good privacy practice,
how to check that is they
collect the data fairly,
open, transparent manner.
Example you visit
one website which
say how are they
going to use the data.
They are going to explain
about how they are basically
managing data.
So that shows their
privacy best practice.
And private data or privacy
data should be kept securely
throughout the lifecycle,
from the creation
phase to the destruction.
And the third most
important thing
is that your private
data should be accurate,
it should be complete, and
it should be up to date.
OK, so to best meet
this challenge,
management should
perform the PIA,
and IS auditor can ask for
the last review report.
This is how as an auditor
can able to validate
as the company is compliance
with any privacy practices.
With the continuation
of the previous series,
so this is the second
part of the Domain 5.
And in this section,
we are going
to discuss about physical access
and environmental control.
Physical access
environmental control
is another important topic
we have in our Domain 5,
and it is a bit difficult
for the people who
are from a non-IT background.
So as an IS auditor, you need
to evaluate these controls.
And in many organizations,
these controls
are designed and implemented
by the facility management,
not by the information
security manager IT.
One example I can give you
about the physical access
and environmental control is
HVAC system, heat, ventilation,
air conditioning.
You have seen the AC
in your facilities.
It is control from a system.
We have a AC in the
data center also,
cooling system in the
data center, which
is used to maintain the optimum
temperature by which we can
able to maintain the
performance of the hardware
because excessive
heating of the hardware
will impact the performance.
So what controls we required?
OK, that we need
to understand here.
As an auditor, I
will first obtain
the approved list of controls.
And then I will assess
the existing control based
on that particular parameter.
And any kind of a
gap we identify,
we will document
that as a finding.
So in this, when you're talking
about the generic controls,
we have a three
type of controls.
One is called as a
managerial control.
It is also called as an
administrative control.
Then we have a technical, then
we have a physical control.
Managerial control is more like
a direction, more like a order.
Example like
post-COVID, the company
has announced that you have
to join office from January
and everyone must come with
their vaccination certificate.
So this is a kind
of an order, which
is used to control the
behavior of the people.
Now people know
that, OK, we need
to have that COVID
vaccination certificate.
Then only we can able
to come to the facility.
So it is like a control
to monitor and improve
the behavior of the people.
One more example of an
administrative control
is without vaccination
certificate,
no one is entered
into the office.
No one is supposed to
enter into the office.
So it's a company announcement.
So it is more like a
managerial control.
Second, we have a
technical control.
The technical
control is something
which is technical in nature.
Example, firewall.
Now it's not something you
pick every packet and inspect.
No, right?
So there is a tool involved in
which we have created a rules.
And based on the rule, the
tool will capture and block
the packet.
So there is a technical
control there.
Function is involved to
block or detect the attacks.
Then we have a physical control.
Physical control is
like a physical lock.
OK.
Placement of a security guard
which try to block physically.
So we have a three
type of controls.
See, when you're
talking about controls,
control may be
proactive, which means
they can attempt to
prevent an incident,
and it can be
reactive, which allow
the detection, containment,
and recovery from an incident.
So proactive control are called
as a safeguard and reactive
control are called
as a countermeasures.
Sorry.
OK.
So that is basically
called as a countermeasure.
So we have two type of controls.
Example like before going--
protect from COVID and all
that we have vaccinations.
So that is basically called
as a proactive control.
But if vaccination
become ineffective,
you got impacted with the
COVID, the reactive control
is isolate yourself
from the family
and then you can go for the
14 days period of containment.
So this is how we have a
proactive and reactive.
So next point is called
as a control monitoring
and effectiveness.
Just implementing
a control will not
achieve the defined objectives.
We need to also need to
check whether control
is working effectively.
It is same like we just
hire the security guard
and now we trust that guard
that he going to block everyone.
No.
We also see how effectively he
responding to all the threats
and everything.
Same like when we
configure the firewall
and simply creating a
rules in the firewall
it doesn't meet my objectives.
On a regular basis, we
need to test the firewalls
by sending a malformed
packets and see whether it
can able to detect and block.
So as a controller design
implemented and operated,
IS auditor should ensure the
logs are enabled because that
is how you can able to track the
effectiveness of the controls.
And we also need to
ensure as an auditor
we need to ensure they are
testing on a regular basis.
OK.
And the procedure should
be developed by which they
can able to test effectively.
And as an IS auditor
should also ensure
they should have a capability
to monitor the controls
and support the monitoring
system in the control design.
Next thing is called as a
environmental exposures.
See, environmental
exposures are due primarily
to the naturally occurring
events, such as lightning,
storms, earthquake, volcanic
eruptions, hurricanes,
and extreme weather conditions.
So one particular
area of concern,
which is coming from an
environmental exposure,
is called as a
damage of equipments.
Right now I'm doing
this training.
Suddenly there is a power
issue and it directly
impacts my hardware.
And because of that, my system
get shut down or it get restart,
or it can damage.
So as an auditor, the
biggest concern for us
is the damaging
of an equipments,
because if the
equipment is damaged,
then it directly impact
the availability.
We have a different kind
of a threats associated
with the hardware equipment,
like total failure,
voltage reduce, spike, surge.
So that's why we purchase
one system, which
is called as a PCS, power
conditioning system.
In your home, we
called as a stabilizer,
which is used to stable
the power supply.
Along with that, we must
require the UPS and generator
to prevent all the
uninterrupted interruptions.
So these kind of controls
you can basically
introduce to prevent this
environmental exposures.
The next important thing is
called as a physical access
exposures and control from
the auditing perspective.
We also buy a alarm
control panels--
so we also buy alarm
control panels,
which is separated from
a burglars or security
system, which is
located on the premises.
We also go for the
smoke detectors.
We have a smoke detector.
It gives the early
warning of the smoke.
So this is the smoke
detector we have.
If there is a smoke in the
room, it get alert and notify
the concerned person.
OK.
So detector should produce the
audible alarm when activated.
It should be linked to the
monitoring system, but make sure
this monitoring should
be separate from the fire
department.
We also need a
visual verification
of the presence of water
and smoke detectors
in the computer rooms.
I'm sure you have seen the
buckets in a red color.
We also need a hand
pull fire alarms that
should be placed strategically
throughout the facilities,
and it should be
placed in such a manner
that it should give
the visibility.
That's an important thing.
And that also, that
fire extinguisher
should be tagged for inspection
and inspected at least annually.
So as an auditor, if you want
to audit extinguishers and all
that can check the
last review period.
If it's basically exceed
by more than one year,
then you can raise that as
a finding in your report.
But before that, confirm why it
got late, why there is a delay.
But one more important thing
as a auditor, testing fire
suppression system
is also expensive.
The fire suppression system,
it's always expensive to test.
And therefore, as
an IS auditor, they
need to limit their
test to review
the documentations
to ensure system
has been inspected and
tested within the last year.
We also have a different
kind of controls,
like we need a biometric,
something you are--
OK, we can place
because that provide
the appropriate type of
accountability in the data
center.
Because in data center, if you
just access the data center
based on your ID
card and all that,
tomorrow you can
deny it was not you
who accessed the data center.
You can tell him that,
OK, I misplaced my card
and everything, so might
be in my absence someone
has used the card and
accessed the data center.
So data center need to prefer
the strongest accountability,
and that is why we need a
biometric in the data center.
But when you're talking
about the biometric,
the biometric is vulnerable
for the two errors.
One is called as a FAR and
one is called as a FRR.
False acceptance
rate, where false user
accepted by the machine.
Example, I am not
authorized user,
but machine has accepted
me as an authorized.
It has happened sometime when
I try to mimic someone voice.
They assume it is actually
authorized user and give me
access.
That is called as a
false acceptance rate.
It is a biggest
concern for an auditor.
And false rejection rate where
the authorized user falsely
rejected by the machine.
Example, like-- example, like
I came back from the office
and I was wearing
gloves and all that.
My hands are completely
dry and all that.
So when I'm trying to place my
fingers or thumb on the scanner,
it has failed to recognize.
So this is basically
because of FRR.
So the point where FAR and
FRR basically intersect,
that is the best optimum point.
So that is the most important
thing we need to consider.
Another important point
that we need to understand
is security guards.
Security guards are very useful
if supplemental by the video
cameras and lock doors.
So guards should be supplied
by an external agency that
should be bonded to
protect the organization
from all kind of losses.
We don't hire the
in-house security guards
because this is how
frauds are possible.
So we outsource a third-party
agencies which hire them,
and this is how we separate
the job activities.
So let's move to the next part.
The next section is called
as the identity and access
management.
See, we have IAAA,
identification, authentication,
and authorization.
Identification, authentication,
and authorization.
Suppose I went to airport.
I went to airport and I
say, hey, my name is Prabh,
and I'm traveling from
Trivandrum to Delhi.
So they will check
my name in the list.
Yes, they confirm
my name in the list.
But they also need
to confirm, is it
a same Prabh who claimed to be?
I will show my Aadhaar card.
I will show my PAN
card that basically
prove, yes, I am Prabh.
So that is called as
an authentication,
the person who claimed to be.
And based on that,
they give me the access
to a specific seat, that is
called as an authorization.
Under the authorization, we
also use the access control.
So we have a different
type of access control.
But in CISA, they talk about
two type of access control.
One is called as a mandatory
and one is called DAC.
What is DAC?
DAC stands for
discretionary, which is also
called as a distribution.
Before marriage,
my life, my rule.
Same like that, which is called
as a distributed access control.
What is the meaning
of that is, suppose
this is the system we
have, system A. OK.
So we have a user 1, we have a
user 2, and we have a user 3.
User 1 login into the system
and he create a folder,
but he deny user 2 and user 3.
User 2 login into the folder,
user login to the system,
and he create a folder.
He deny user 1 and user 3.
User 3 login into the
system, he create a folder,
and he deny other two.
So same your
workgroup environment.
When you login into your laptop
or desktop, you create a folder.
You deny your family member.
One of your family member has
access to that particular system
and they create the
folder, they deny other.
So this is called as a
discretionary, distributed
access control, where
the multiple parties are
involved in giving an
authorizing access.
But when we're talking
about the mandatory,
it is a default system access
used in a military and all that.
And the best example
is in your windows,
if you really want
to modify the CMD
or you want to access
any application,
you need to run as
an administrator.
That is a mandatory thing.
So it's an access
control, which is
default embedded in the system.
And that is called as
a centralized access
control, which is also
called as an NDAC.
So MAC is a system-based access.
They have a predefined logics.
In CMD, if you want to
perform some admin command,
you need to run as a CMD.
In the Linux, if
you want to perform
any kind of a admin activity,
you need to run sudo command.
It is a mandatory
access control.
So when you're talking
about authentication,
authentication basically
has a three factors.
Something you know, which
is your password, which
is easy to compromise;
something you have,
which is called as a ownership,
and something you are,
which is a biometric, and
somewhere you are nowadays.
So token device and one-time
password is something you have,
which is called as a ownership.
Next is called as
a single sign-on.
Single sign-on means
you log in once
and access the
multiple resources.
An example, imagine like--
when you're talking about a
single sign-on, one example
we have about Gmail.
So you open the gmail.com,
you log in to the Gmail,
and from there, you open
doc, D-O-C, dot google.com.
It doesn't ask for the password.
Then you type YouTube.
It doesn't ask for the password.
Then you type any document.
It doesn't ask for the password.
When you open Drive, it
doesn't ask for the password.
So that is the best
example of single sign-on.
You need to authenticate once.
And based on that, you can able
to access any number of services
of a Gmail.
But single sign-on is a concept
we use within a one domain.
But federation, I'm
sorry for the spelling.
In hurry.
I'm sorry.
I can correct that.
So federation is basically where
you authenticate with one domain
and access the other domain.
So federation we use
between the two companies,
between the two domain.
Example like we have a
booking.com and we have a Gmail.
I'm sure you have noticed
user went to booking.com.
Now booking.com
giving him option,
log in with your
Google ID or sign up.
Definitely to save time, I will
select login with the Gmail ID.
So booking.com redirect
user to the Gmail.
To the Gmail, I will
basically provide my username
and password, and against that
Gmail provide the authorization
ticket, and that authentication
ticket or authorization ticket
I will provide to Booking,
which confirm, yes, you are
the authorized user of Gmail.
And based on that booking.com,
provide the resource.
So in this case, Gmail
is the identity provider
who verify your identity
and booking.com is
a service provider who
provide you services.
So federation is basically used
across the multiple systems.
Biometric establish
the strongest form
of accountability,
which cannot be spoofed.
So we have a two scanners.
One is called retina.
And we have a second
is called as a iris.
Iris is-- so when you're
talking about retina,
retina scan the blood
vessel of your eyes.
OK, very accurate, but difficult
to implement because it has
acceptance issues,
whereas the iris
is accurate with acceptance.
If you ask me which
was more accurate,
retina is more accurate
because difficult
to spoof someone's
blood vessels.
But iris is a second
best accept and accurate.
When we are going for
the biometric solutions,
as an auditor, we also need
to check the privacy policy
because implementing a biometric
system in the organization
requires the user acceptance.
OK, so acceptance
for the solution
is very less in
the organization.
So we need to review the
data privacy policies
and see how they're going
to use the biometric data.
So let me explain you how the
biometric enrollment works.
So whenever you
register for biometric,
suppose this is the
scanner we have.
Suppose this is the
scanner we have.
So you place your fingers or you
place your thumb on the scanner.
Scanner will capture the image
and stored in a form of minutes.
Minutes we call it--
minutes or metrics we call.
Or you can say in
a form of template.
It store in a form of template.
So next time when
you place finger,
it basically scan and
generate that template
and compare against
the stored template.
If it match, it give access.
So this is-- they do like a
one-to-many or many-to-many
identification.
Next important
thing audit login.
It's very important
to log everything
by which we can able to
track the accountability.
So audit logging is
another important practice
we need to follow.
The next solution we have a
DLP, data leak prevention.
Ultimate objective of DLP
is to ensure data should not
live in an unauthorized manner.
You have seen a lot of employees
use their confidential data
and they try to send on
their public portals.
So we need to prevent
this data exfiltration.
Data exfiltration
definition means
data should not leave the
organization environment.
So we have a DLP here,
we have DLP here.
So example I connect
the pen drive
and trying to copy the data.
That is also data leaving
in an unauthorized manner,
but DLP there will try to block.
You opening a Gmail and try
to upload data on a Gmail.
So there is an endpoint
DLP or network-based DLP
will try to block the content.
So ultimate goal of a DLP is to
prevent the data exfiltration.
It is not a solution
introduced to monitor what is
coming from outside to inside.
No.
It is a solution which monitor
what is leaving the organization
data.
What is leaving the
organization control.
Because internal threat
is a difficult threat.
It's a concern for
the organization
and it is the biggest
threat for the organization.
The next thing we have network
and endpoint security, most
important section of Domain 5.
Now we have a different
type of circuits.
What is circuit?
Circuit is a link by which
we transfer the data.
So when you're talking about
circuit, the first circuit
they are talking about
dedicated circuit.
So we have a user A and we have
a user B. Same like the circuit
is a link which is basically
up between the two party.
And you send the data
through this link.
Another example is
you call your friend.
So what you have to do?
You need to dial his number.
And once you dial his number,
the link will be established.
And then you communicate.
And once it is done,
you basically discard.
But that is a circuit.
But that is not a dedicated.
It is a temporary circuit.
But dedicated circuit
is link is always up.
Whenever you dial,
it will be available.
Second is called as
a switch circuit.
Switch circuit I gave you the
example of the switch circuit
is you dial the person
number, you temporarily
establish the connection,
you are done, and you finish.
You are done with that and
you can discard the things.
So that is the difference
between the dedicated and switch
circuit.
We also have a packet
switching technology.
Packet switching technology
today is used in a 4G.
I am sure you have
seen the Jio, Airtel,
and all that offer the packet
switching technology only.
That is why if you
do the WhatsApp call,
it has a better quality
than the voice call
because packet switching
was primarily introduced
for the data transfer.
Let's take an example.
We have a system
A, we have a system
B. So this is my internet.
We have a routers here.
So what packet switching
does, we have a data here,
data divided into packets.
So some packets goes
through this route
and some packet goes
through this route.
And by end of the day, it
get delivered to the B.
It doesn't give assurance in
what state it basically receive,
but they just send the data.
That is where the packet
switching is primarily
designed for the data transfer,
not for the voice transfer.
That's why if you're
in your 4G phone,
you can see the V-O-L-T-E. OK.
And your landline, it's
not having a dial up tones.
It has some other tones.
So today your all
calls is basically
done through VoIP by using
a packet switching only.
You also need to understand
the different type of networks,
like LAN, which is basically
a group of computers
within the organization, a group
of system over the internet that
is called as a WAN, and access
the storage is called as a SAN.
DNS is a service which translate
name to IP and IP to name.
Let's take an example
of the smartphone.
It is difficult for you to
remember your friend's number.
So what you did, you saved the
friend's number with the name
because human mind remember
alphabets over the numbers.
So if I want to call
my friend Pankaj.
So I will type Pankaj Delhi.
So it will see by name and
it map with the number.
So automatically
dial the number.
Same like you open a
browser type google.com.
They send the request to
a specific server which
translate the name
to IP, and then it
will redirect you to the
particular web server,
like this way.
So we client and we
have a DNS server here.
And this is my web server.
So client has
requested google.com.
That request goes to DNS.
DNS said, no, boss.
Google.com on 1.1.1.1.
And this is how it
redirect to 1.1.1.
And then web server
provide the content.
So DNS is a service which
translate name to IP and IP
to name.
The next thing is
called as a DHCP.
DHCP is a service
which basically
provide the automated IP
address to all the systems.
It is difficult to manage
the IPs in every system.
So what I need, I want
a one centralized server
from where I need to assign the
IP address to all the clients.
The next important topic
is called as a topology.
Topology is provide the
layout of the network.
And then we have a media type.
So we have a twisted
pair and fiber optic.
Twisted pair are
twisted together
by which it reduces
the attenuation.
What is attenuation?
Is loss of signal.
Fiber optic is basically
providing a very effective
speed, and it is having a low
latency and better than twisted
pair to send the sensitive data.
So this is the first part
of this particular series.
I'm planning to make
another series next week
and we'll see what can be done.
This is just a first
part of the Domain 5.
If you find this video useful,
do share your feedback and do
let me know what are
the other videos should
I make on the CISA?
Thank you.