0:00:00.000,0:00:03.339
[MUSIC PLAYING]

0:00:03.339,0:00:07.160


0:00:07.160,0:00:07.838
Hello, team.

0:00:07.838,0:00:09.630
Good morning, good[br]afternoon, good evening.

0:00:09.630,0:00:11.060
And today we are[br]going to discuss

0:00:11.060,0:00:15.620
about CISA exam review, Domain[br]5, Protection of Information

0:00:15.620,0:00:16.490
Asset.

0:00:16.490,0:00:20.430
I already made one video on[br]domain 1, part 1 and part two,

0:00:20.430,0:00:22.860
and I got a great[br]response on that video.

0:00:22.860,0:00:25.160
And based on that, I[br]thought, let's continue

0:00:25.160,0:00:26.550
the series of that session.

0:00:26.550,0:00:28.710
And that is why I have[br]started with the Domain 5

0:00:28.710,0:00:31.850
first because lot[br]of CISA aspirants

0:00:31.850,0:00:33.960
are bit struggling[br]with the Domain 5.

0:00:33.960,0:00:38.000
So with that state of mind,[br]I am making this video.

0:00:38.000,0:00:40.310
If you are new to this[br]channel, do subscribe and click

0:00:40.310,0:00:43.230
on the bell icon so you should[br]not miss any of my videos.

0:00:43.230,0:00:45.750
And my name is Prabh Nair.

0:00:45.750,0:00:50.130
For more information, you can[br]refer my LinkedIn profile.

0:00:50.130,0:00:52.250
So let's start with[br]the first part.

0:00:52.250,0:00:52.920
OK.

0:00:52.920,0:00:56.450
The first part in this video,[br]in this particular session

0:00:56.450,0:01:00.740
or in the Domain 5, we have[br]information asset security

0:01:00.740,0:01:03.590
framework standard[br]and guideline.

0:01:03.590,0:01:08.100
So when you're talking about[br]industries, many industries,

0:01:08.100,0:01:10.050
they basically use standards.

0:01:10.050,0:01:13.940
They use frameworks[br]to build some kind

0:01:13.940,0:01:17.150
of a controls and governance[br]in the organization.

0:01:17.150,0:01:19.850
One example, we have[br]a PCI DSS, which

0:01:19.850,0:01:21.860
is used as a standard[br]for all organization

0:01:21.860,0:01:25.220
to process the payment cards.

0:01:25.220,0:01:27.300
So this is the example[br]of industry standard.

0:01:27.300,0:01:29.300
But compliance is not[br]required by the law

0:01:29.300,0:01:34.130
because it is just used to[br]achieve the defined objectives.

0:01:34.130,0:01:37.290
Then we have some standards[br]are found in many industries,

0:01:37.290,0:01:39.830
including a health care,[br]accounting, audits,

0:01:39.830,0:01:41.220
and telecommunication.

0:01:41.220,0:01:43.650
In some industries, such[br]as electrical power,

0:01:43.650,0:01:46.550
regulations require[br]compliance with the standard.

0:01:46.550,0:01:49.130
And to meet the[br]requirement of a standard,

0:01:49.130,0:01:52.970
framework is often used to[br]describe how the organization

0:01:52.970,0:01:54.950
can achieve the compliance.

0:01:54.950,0:01:58.230
Let's take an example.

0:01:58.230,0:02:00.665
If you talk about[br]one scenario here.

0:02:00.665,0:02:04.710


0:02:04.710,0:02:08.961
Every organization always[br]start with the strategy.

0:02:08.961,0:02:09.919
They create a strategy.

0:02:09.919,0:02:12.960


0:02:12.960,0:02:16.530
Strategy is called[br]as a long-term plan.

0:02:16.530,0:02:21.090
And then that[br]strategy is further

0:02:21.090,0:02:23.165
split into the tactical plan.

0:02:23.165,0:02:26.820


0:02:26.820,0:02:30.095
And then we have a[br]operational plan.

0:02:30.095,0:02:36.210


0:02:36.210,0:02:38.730
Now when you're talking[br]about this strategy

0:02:38.730,0:02:42.840
was created to meet[br]the GDPR requirement.

0:02:42.840,0:02:46.230
GDPR is a data[br]privacy regulation EU.

0:02:46.230,0:02:52.470
Now I have a company[br]in Kerala and they

0:02:52.470,0:02:54.780
need to comply with the[br]GDPR definitely because we

0:02:54.780,0:02:56.940
have some employees--

0:02:56.940,0:03:03.060
we have some employees here[br]who are residing in Kerala

0:03:03.060,0:03:08.340
and they're trying to access the[br]data, which is based out in EU.

0:03:08.340,0:03:11.620
And definitely, if you're[br]trying to access the data of EU,

0:03:11.620,0:03:14.190
you need to comply with GDPR.

0:03:14.190,0:03:18.100
So that were clear the[br]GDPR we need in the system.

0:03:18.100,0:03:23.190
But the question is[br]that, what controls

0:03:23.190,0:03:28.410
we required by which we can[br]able to comply with the GDPR?

0:03:28.410,0:03:33.630
So first thing what we did[br]we introduced the framework.

0:03:33.630,0:03:35.560
In Hindi, it is called dhaancha.

0:03:35.560,0:03:40.140
In English, it is called[br]as a structure, which

0:03:40.140,0:03:44.680
talk about the necessary[br]practice and procedures,

0:03:44.680,0:03:47.230
which required to achieve[br]the define objective.

0:03:47.230,0:03:50.730
Here, I want a privacy[br]system by which

0:03:50.730,0:03:53.460
I can basically compliance[br]my people process

0:03:53.460,0:03:55.330
technology with GDPR.

0:03:55.330,0:03:57.910
So I want a privacy[br]management system.

0:03:57.910,0:04:02.050
So we found some frameworks for[br]the privacy management systems.

0:04:02.050,0:04:06.240
And they basically have[br]a process and practices.

0:04:06.240,0:04:08.280
So one of the[br]process in practice

0:04:08.280,0:04:10.950
they say that, OK,[br]every system required

0:04:10.950,0:04:14.040
to be protected[br]with the password.

0:04:14.040,0:04:15.960
So they give me[br]one kind of freedom

0:04:15.960,0:04:19.529
that, OK, I want a[br]password in the system.

0:04:19.529,0:04:22.290
But now the question[br]is that, should I

0:04:22.290,0:04:24.990
go for a specific practice[br]and process, which

0:04:24.990,0:04:26.970
is given as per the[br]framework, or should I

0:04:26.970,0:04:31.170
go for any kind of a industry[br]standard for a benchmark?

0:04:31.170,0:04:35.250
And there, we basically[br]introduce the standard.

0:04:35.250,0:04:41.007
Now as per the ISO[br]27001, they say

0:04:41.007,0:04:43.590
that system must be protected[br]with the password with the eight

0:04:43.590,0:04:44.290
character.

0:04:44.290,0:04:47.970
So this is something is[br]a matrix we introduced.

0:04:47.970,0:04:50.010
So that is why we say[br]first we introduce

0:04:50.010,0:04:55.080
a framework, which helped[br]me to build the structure.

0:04:55.080,0:04:57.280
Same like when you[br]are building a house,

0:04:57.280,0:04:58.810
you first design the house.

0:04:58.810,0:05:02.230
Here, I need a balcony,[br]here you need a first floor,

0:05:02.230,0:05:04.380
here we need a second floor,[br]here we need a third--

0:05:04.380,0:05:04.880
Sorry.

0:05:04.880,0:05:07.530
We need a first room, second[br]room, third room, and then

0:05:07.530,0:05:10.080
we decide we need[br]a bed in each room.

0:05:10.080,0:05:11.680
So this is as per the design.

0:05:11.680,0:05:14.400
But what is a standard bed?

0:05:14.400,0:05:16.740
What is a standard sofa?

0:05:16.740,0:05:19.240
What is a standard[br]door we required?

0:05:19.240,0:05:22.030
So we used to say that[br]it should be ISO 9001

0:05:22.030,0:05:23.980
or they have their own standard.

0:05:23.980,0:05:25.920
So standard was[br]basically introduced

0:05:25.920,0:05:27.790
to measure the effectiveness.

0:05:27.790,0:05:32.430
Standard was basically[br]introduced to set the benchmark.

0:05:32.430,0:05:34.710
So whenever we are[br]building any kind

0:05:34.710,0:05:39.730
of a system in the organization,[br]first we adopt the framework.

0:05:39.730,0:05:42.370
The framework comes with[br]a practice and procedures.

0:05:42.370,0:05:44.820
And to enhance that[br]practice and procedure,

0:05:44.820,0:05:46.930
then we can go for the[br]specialization standard.

0:05:46.930,0:05:49.660
In this example, I want[br]to comply with GDPR.

0:05:49.660,0:05:52.010
I want a privacy system[br]in the organization.

0:05:52.010,0:05:54.320
So I adopted one of[br]the privacy framework.

0:05:54.320,0:05:55.930
Now, in that privacy[br]framework, one

0:05:55.930,0:05:58.520
of the practice and procedure[br]is must have a password.

0:05:58.520,0:05:59.690
Now I have a two choice.

0:05:59.690,0:06:01.450
I can create my[br]own password, which

0:06:01.450,0:06:03.700
can be used because[br]framework can be modified

0:06:03.700,0:06:05.870
as per your business objective.

0:06:05.870,0:06:09.400
But if you basically adopt[br]the standard because ISO

0:06:09.400,0:06:11.900
claim you must have[br]eight character password.

0:06:11.900,0:06:13.940
So eight character[br]is a strong password.

0:06:13.940,0:06:16.720
And tomorrow, when I claimed[br]in the industry that,

0:06:16.720,0:06:21.280
yes, I am a ISO 27001 certified[br]because I am following

0:06:21.280,0:06:22.460
their particular standard.

0:06:22.460,0:06:25.390
Same like CISA, you[br]are pursuing just

0:06:25.390,0:06:27.080
for knowledge that[br]is a framework.

0:06:27.080,0:06:30.470
But in CISA, you need to[br]read those stuff also,

0:06:30.470,0:06:32.145
which is not relevant[br]to your profile,

0:06:32.145,0:06:33.520
but that is required[br]for the exam

0:06:33.520,0:06:35.320
because tomorrow you[br]are going to use CISA

0:06:35.320,0:06:37.760
as a name standard in your CV.

0:06:37.760,0:06:42.140
So that is why in the Domain[br]5, the most important element,

0:06:42.140,0:06:43.606
you need to know the frameworks.

0:06:43.606,0:06:46.900


0:06:46.900,0:06:50.840
So that is why in the Domain[br]5, the Domain 5 itself,

0:06:50.840,0:06:54.250
starting with the auditing, the[br]information security management

0:06:54.250,0:06:57.970
framework and ultimate goal of[br]information security management

0:06:57.970,0:07:01.820
framework is to reduce the[br]risk to an acceptable level.

0:07:01.820,0:07:04.420
So we have a NIST[br]framework which

0:07:04.420,0:07:06.565
talks about the[br]best practice, how

0:07:06.565,0:07:09.190
to achieve the cybersecurity, or[br]how to achieve the information

0:07:09.190,0:07:10.910
security in the organization.

0:07:10.910,0:07:13.230
Let me show you the[br]document, how it look like.

0:07:13.230,0:07:15.790


0:07:15.790,0:07:19.360
So this is the document[br]we have for the NIST.

0:07:19.360,0:07:23.950
If you can see that, they have[br]organized the entire process

0:07:23.950,0:07:29.770
into some categories, like[br]identifies where they are

0:07:29.770,0:07:31.330
talking about we[br]need a governance,

0:07:31.330,0:07:33.130
and what is required[br]in the governance

0:07:33.130,0:07:35.510
they talk about these[br]are the practices.

0:07:35.510,0:07:38.467
And if you want to set[br]any kind of a benchmark

0:07:38.467,0:07:40.300
against something, you[br]need to claim we have

0:07:40.300,0:07:43.820
a respective controls also.

0:07:43.820,0:07:45.250
So you can see here.

0:07:45.250,0:07:47.200
Then if I zoom it--

0:07:47.200,0:07:50.080
now, if I join one[br]company and where

0:07:50.080,0:07:53.830
I want the information security[br]as a system I want to introduce.

0:07:53.830,0:07:57.710
So I can refer this NIST[br]framework based on my knowledge,

0:07:57.710,0:07:59.660
I can go by step[br]by step process.

0:07:59.660,0:08:02.930
They say, OK, as per the[br]framework control one,

0:08:02.930,0:08:05.120
you must have an[br]asset management.

0:08:05.120,0:08:07.630
Now in this case,[br]what is a subcategory,

0:08:07.630,0:08:10.210
like physical device and[br]system within the organizations

0:08:10.210,0:08:11.350
are inventoried.

0:08:11.350,0:08:13.720
Software platforms[br]and applications

0:08:13.720,0:08:16.220
within the organizations[br]are inventoried.

0:08:16.220,0:08:19.460
Organization communications[br]and data flows are mapped.

0:08:19.460,0:08:22.040
External information[br]systems are cataloged.

0:08:22.040,0:08:25.640
Resources are prioritized[br]based on the classification

0:08:25.640,0:08:29.440
criticality and business[br]value, and cyber security roles

0:08:29.440,0:08:32.110
and responsibility for entire[br]workforce in third party

0:08:32.110,0:08:32.929
establish.

0:08:32.929,0:08:36.919
Now they have a specific[br]controls for that in detail.

0:08:36.919,0:08:38.990
So for that, we can[br]refer the standard.

0:08:38.990,0:08:41.600
So standard was introduced[br]to measure the effectiveness.

0:08:41.600,0:08:44.080
So this is how we[br]can basically adopt

0:08:44.080,0:08:48.220
any framework I can basically[br]scope as per my business

0:08:48.220,0:08:49.960
requirement by which[br]I can eliminate

0:08:49.960,0:08:52.490
the need for implementing[br]this entire framework

0:08:52.490,0:08:55.400
and tailor it as per[br]my business choice.

0:08:55.400,0:08:58.780
So this is what we called as a[br]information security framework

0:08:58.780,0:09:01.180
or cyber security framework.

0:09:01.180,0:09:05.620
Now coming back, so in[br]Domain 5, the first part

0:09:05.620,0:09:09.340
we talk about audit the[br]information security management

0:09:09.340,0:09:12.970
framework so you can adopt[br]any kind of a benchmark, which

0:09:12.970,0:09:15.620
is approved benchmark[br]from the organization.

0:09:15.620,0:09:17.240
And based on that,[br]you can assess.

0:09:17.240,0:09:19.570
See, when we're talking[br]about any governance,

0:09:19.570,0:09:22.340
policy is the foundation[br]for any governance.

0:09:22.340,0:09:23.470
What is governance like?

0:09:23.470,0:09:25.490
In order to manage kids at home.

0:09:25.490,0:09:26.860
That is your governance.

0:09:26.860,0:09:29.660
Manage country, run[br]country's operation.

0:09:29.660,0:09:30.770
That is a governance.

0:09:30.770,0:09:33.520
So governance is[br]a-- governance is

0:09:33.520,0:09:36.250
an important part of the[br]organization and policy is

0:09:36.250,0:09:38.540
the foundation of governance.

0:09:38.540,0:09:42.740
If I say policy, policy is[br]the management statement.

0:09:42.740,0:09:45.270
Policy is the management intent.

0:09:45.270,0:09:47.760
Anything they want to[br]enforce in the organization,

0:09:47.760,0:09:49.410
they create a policy for that.

0:09:49.410,0:09:53.070
Example like every system must[br]be protected with the password.

0:09:53.070,0:09:54.120
So it's a policy.

0:09:54.120,0:09:56.490
Password must be[br]eight character.

0:09:56.490,0:09:58.140
Now we introduce as a standard.

0:09:58.140,0:10:01.190
Standard is a tool by which[br]we enforce the policy.

0:10:01.190,0:10:05.910
And how to create step by[br]step eight character password.

0:10:05.910,0:10:07.250
That is a written procedure.

0:10:07.250,0:10:09.720
Procedure always in[br]detail in nature.

0:10:09.720,0:10:12.420
So policy is[br]strategic in nature,

0:10:12.420,0:10:16.820
standard is tactical in nature,[br]and procedure is basically

0:10:16.820,0:10:18.360
operational in nature.

0:10:18.360,0:10:22.010
We create a detailed procedure[br]which is easy for people

0:10:22.010,0:10:24.320
to understand.

0:10:24.320,0:10:29.070
Now next thing is called as a[br]security awareness and training.

0:10:29.070,0:10:30.950
Now let me explain the[br]different-- thin line

0:10:30.950,0:10:35.060
difference between the[br]awareness, training,

0:10:35.060,0:10:36.560
and education.

0:10:36.560,0:10:38.760
Awareness is a short term.

0:10:38.760,0:10:41.720
I was in an impression that,[br]OK, eight character password

0:10:41.720,0:10:42.870
is a secure password.

0:10:42.870,0:10:46.320
So I was using a 12345678.

0:10:46.320,0:10:49.160
But when I attended any[br]awareness workshop which

0:10:49.160,0:10:52.790
modify my behavior and now I[br]get to know eight character

0:10:52.790,0:10:54.920
should not be only numeric.

0:10:54.920,0:10:58.140
OK, so I start using a[br]alphanumeric and spatial.

0:10:58.140,0:11:00.840
So that's something[br]modify my behavior.

0:11:00.840,0:11:03.590
The question is that how to[br]measure the effectiveness

0:11:03.590,0:11:05.360
of the awareness training.

0:11:05.360,0:11:06.980
By reviewing the[br]number of people

0:11:06.980,0:11:08.790
participated in the[br]awareness program?

0:11:08.790,0:11:10.130
No.

0:11:10.130,0:11:13.160
As an auditor, I[br]can able to evaluate

0:11:13.160,0:11:17.270
the effectiveness of[br]awareness training

0:11:17.270,0:11:21.350
is by seeing the number[br]of incidents reported.

0:11:21.350,0:11:23.060
Let's take an example.

0:11:23.060,0:11:26.390
Last week, we have conducted[br]the awareness workshop.

0:11:26.390,0:11:31.340
And at that time, we had[br]70 incidents was reported.

0:11:31.340,0:11:34.590
And this week, 140[br]incidents has been reported.

0:11:34.590,0:11:38.250
It means people are now more[br]aware about the incidents.

0:11:38.250,0:11:40.860
So always remember[br]the way-- in order

0:11:40.860,0:11:42.960
to measure the effectiveness[br]of awareness training

0:11:42.960,0:11:45.330
is increase in the[br]incident reports

0:11:45.330,0:11:48.070
and decrease in a[br]security violation.

0:11:48.070,0:11:50.250
So awareness modify[br]the behavior.

0:11:50.250,0:11:53.490
Training modify the skill, and[br]education modify your career.

0:11:53.490,0:11:55.822
Like doing a CISA[br]training, serious training.

0:11:55.822,0:11:57.780
See some training is a[br]part of a training which

0:11:57.780,0:11:59.080
modify your skills.

0:11:59.080,0:12:01.650
But annually you are[br]attending any college program

0:12:01.650,0:12:03.370
that is called as an education.

0:12:03.370,0:12:06.180
Another important thing[br]that you must be familiar

0:12:06.180,0:12:10.440
with that, which is called[br]as a data ownership.

0:12:10.440,0:12:11.950
Data ownership.

0:12:11.950,0:12:14.370
So data ownership is another[br]important thing we have

0:12:14.370,0:12:16.050
that you must be aware about.

0:12:16.050,0:12:18.120
In data ownership,[br]like data owner

0:12:18.120,0:12:21.160
is the one who ultimately[br]accountable for the data.

0:12:21.160,0:12:23.520
So whenever you[br]classifying any data,

0:12:23.520,0:12:25.530
you basically speak[br]to the data owner

0:12:25.530,0:12:29.100
only, because data owners are[br]best positioned to tell you

0:12:29.100,0:12:30.140
the value of the data.

0:12:30.140,0:12:33.540


0:12:33.540,0:12:37.410
The next important[br]thing is called as a--

0:12:37.410,0:12:39.430
yeah, can we transfer[br]the data ownership?

0:12:39.430,0:12:42.282
No, you can't transfer[br]the data ownership.

0:12:42.282,0:12:44.730
So on behalf of data[br]owner who manage

0:12:44.730,0:12:47.220
the data is the data[br]custodian because he

0:12:47.220,0:12:50.250
is responsible for storing[br]and safeguarding the data.

0:12:50.250,0:12:52.633
OK, like system analyst,[br]computer operator,

0:12:52.633,0:12:55.300
database operator, they are the[br]ones who are the data custodian.

0:12:55.300,0:12:56.910
Let's take an example.

0:12:56.910,0:12:58.210
I am the business owner.

0:12:58.210,0:12:59.470
I produce one data.

0:12:59.470,0:13:01.450
I bring more data[br]in the organization.

0:13:01.450,0:13:04.350
Now I have a IM team,[br]I have a database team

0:13:04.350,0:13:07.030
who manage the data[br]on behalf of me.

0:13:07.030,0:13:08.380
I will say, hey, Eric.

0:13:08.380,0:13:09.550
Please maintain my data.

0:13:09.550,0:13:13.330
So here the Eric will maintain[br]the protection of the data,

0:13:13.330,0:13:15.250
but he will follow[br]all my guidelines

0:13:15.250,0:13:17.155
according to that only[br]he protect the data.

0:13:17.155,0:13:18.780
I will clearly tell[br]him, see, this data

0:13:18.780,0:13:21.010
is basically based[br]on EU customer

0:13:21.010,0:13:23.050
so make sure you should[br]protect effectively.

0:13:23.050,0:13:25.260
So here I am a data[br]owner who instruct him

0:13:25.260,0:13:26.650
that this is the EU data.

0:13:26.650,0:13:29.770
If something goes wrong,[br]he going to question me

0:13:29.770,0:13:32.440
and it is a difficult-- it is[br]difficult for me to answer.

0:13:32.440,0:13:35.250
So here, the database[br]administrator,

0:13:35.250,0:13:38.310
based on my guidance,[br]going to protect the data.

0:13:38.310,0:13:42.390
So data owner one is the[br]one who value the data,

0:13:42.390,0:13:43.946
and data custodian--

0:13:43.946,0:13:47.220


0:13:47.220,0:13:52.210
data custodian manage the[br]data on behalf of data owner.

0:13:52.210,0:13:55.990
The third is basically called[br]as a security administrator.

0:13:55.990,0:13:58.230
Security administrator is[br]another important position

0:13:58.230,0:13:58.870
we have.

0:13:58.870,0:14:02.160
He is responsible for providing[br]an adequate physical and logical

0:14:02.160,0:14:04.900
security for the[br]information system,

0:14:04.900,0:14:08.020
and also providing a security[br]to the data and equipments.

0:14:08.020,0:14:11.680
So his role is more like a[br]implementer kind of thing.

0:14:11.680,0:14:13.560
Example, firewall administrator.

0:14:13.560,0:14:14.170
OK.

0:14:14.170,0:14:17.170
VAPT guys, control implementer.

0:14:17.170,0:14:20.110
These are basically called[br]as security administrators.

0:14:20.110,0:14:23.070
Then we have a new IT[br]users, the one who basically

0:14:23.070,0:14:24.250
join the organization.

0:14:24.250,0:14:27.790
Make sure they should read and[br]agree to the security policies,

0:14:27.790,0:14:30.040
keep login ID and[br]password secret,

0:14:30.040,0:14:31.950
create the quality[br]password, lock all

0:14:31.950,0:14:34.200
the terminals for the IT users.

0:14:34.200,0:14:36.090
Next is we have a data users.

0:14:36.090,0:14:38.100
Data user example[br]like the IT users

0:14:38.100,0:14:41.020
who are creating a data it is[br]accessed by the data user only.

0:14:41.020,0:14:43.210
I have a team who create a data.

0:14:43.210,0:14:46.810
OK, now you are basically[br]the one who review this data.

0:14:46.810,0:14:48.280
So you are the data user.

0:14:48.280,0:14:50.550
So the responsibility[br]regarding a security

0:14:50.550,0:14:52.590
and to be vigilant[br]regarding the monitoring

0:14:52.590,0:14:54.930
of the unauthorized[br]people in the work areas

0:14:54.930,0:14:57.450
and comply with the[br]general security guidelines

0:14:57.450,0:14:58.630
and policies.

0:14:58.630,0:15:02.250
So data users include the[br]external and internal user

0:15:02.250,0:15:03.310
communities.

0:15:03.310,0:15:05.980
Next, we have a[br]documented authorization.

0:15:05.980,0:15:08.400
So data access should be[br]identified and authorized

0:15:08.400,0:15:09.220
in a writing.

0:15:09.220,0:15:11.550
So as an IS auditor,[br]you should review

0:15:11.550,0:15:13.740
a sample of the[br]authorization to determine

0:15:13.740,0:15:16.330
if the proper level of written[br]authority was provided.

0:15:16.330,0:15:18.010
Example, I am an auditor.

0:15:18.010,0:15:19.200
I am going for an audit.

0:15:19.200,0:15:21.992
As per the audit, for this[br]kind of a permissions,

0:15:21.992,0:15:23.950
we need an approval from[br]the senior management.

0:15:23.950,0:15:26.370
So we will ask for the[br]sample of an email which

0:15:26.370,0:15:27.960
can confirm that[br]you are authorized

0:15:27.960,0:15:29.130
to access the document.

0:15:29.130,0:15:32.400
And the similar pattern you[br]can get in a CISA exam also.

0:15:32.400,0:15:33.940
Like you are an auditor.

0:15:33.940,0:15:37.080
You have discovered that some[br]access has been attempted

0:15:37.080,0:15:38.950
to access specific files.

0:15:38.950,0:15:40.073
Now how to verify.

0:15:40.073,0:15:40.990
What is the next step?

0:15:40.990,0:15:43.540
The next step is we will[br]request for those exceptions.

0:15:43.540,0:15:45.300
We request for[br]the email exchange

0:15:45.300,0:15:47.310
which say that, OK, you're[br]authorized to access

0:15:47.310,0:15:48.900
that particular documents.

0:15:48.900,0:15:52.560
Next important thing we call[br]that the terminated employee

0:15:52.560,0:15:53.380
access.

0:15:53.380,0:15:56.170
See, whenever any employee[br]leave the organization,

0:15:56.170,0:15:58.000
we don't delete his account.

0:15:58.000,0:15:59.320
We disable the account.

0:15:59.320,0:16:01.930
The first step is notify[br]all the Department

0:16:01.930,0:16:04.330
and the second step[br]is revoke his access.

0:16:04.330,0:16:05.910
But the question[br]talking about what

0:16:05.910,0:16:09.720
is the best action that we have[br]to take against the terminated

0:16:09.720,0:16:13.380
employee, the thing is[br]that revoke his access.

0:16:13.380,0:16:16.890
Termination is two-type:[br]voluntary and involuntary.

0:16:16.890,0:16:19.810
Voluntary termination[br]when employee resign,

0:16:19.810,0:16:23.770
and involuntary termination[br]when company say ask to leave.

0:16:23.770,0:16:26.670
But during this process,[br]during a termination process,

0:16:26.670,0:16:31.210
IS auditor need to review that[br]any terminated employer is

0:16:31.210,0:16:33.520
having access to the[br]system, and that is also

0:16:33.520,0:16:34.880
one of the biggest concern.

0:16:34.880,0:16:37.750
If terminated employee[br]already left the organization

0:16:37.750,0:16:40.170
and he still has access[br]to the organization,

0:16:40.170,0:16:41.420
then it's the biggest concern.

0:16:41.420,0:16:43.210
So from an exam point[br]of view, remember

0:16:43.210,0:16:45.500
this is one of the[br]biggest concern we have.

0:16:45.500,0:16:49.510
Whenever we implementing any[br]kind of a control, security

0:16:49.510,0:16:51.760
baseline we have to follow.

0:16:51.760,0:16:52.850
What is baseline?

0:16:52.850,0:16:54.520
Baseline is a minimum[br]level of security

0:16:54.520,0:16:56.630
that we need to[br]follow in the system.

0:16:56.630,0:16:58.760
Let me explain you[br]with the reference.

0:16:58.760,0:17:01.750
Now I want a baseline[br]for my organization.

0:17:01.750,0:17:02.570
OK.

0:17:02.570,0:17:04.930
So I want a baseline in--

0:17:04.930,0:17:11.740
So like-- example like--

0:17:11.740,0:17:15.130
I want a baseline[br]for my system so--

0:17:15.130,0:17:17.349
for my systems.

0:17:17.349,0:17:20.020
Baseline mean minimum security.

0:17:20.020,0:17:22.930
I want a baseline like password.

0:17:22.930,0:17:25.400
I want a baseline antivirus.

0:17:25.400,0:17:28.720
And I want a baseline called[br]as a security solution.

0:17:28.720,0:17:29.540
OK.

0:17:29.540,0:17:32.920
So this is basically[br]the baseline one,

0:17:32.920,0:17:35.240
baseline two, baseline three.

0:17:35.240,0:17:38.420
So example, we have a system[br]1, system 2, and system 3.

0:17:38.420,0:17:40.090
So in a system 1,[br]password we require.

0:17:40.090,0:17:42.610
That is a minimum thing we[br]need in the organization

0:17:42.610,0:17:43.990
in the system.

0:17:43.990,0:17:45.950
Now, question is[br]password is required.

0:17:45.950,0:17:46.930
I agree.

0:17:46.930,0:17:49.450
Now here I can refer a standard.

0:17:49.450,0:17:50.270
OK.

0:17:50.270,0:17:51.760
Can we go for the[br]eight character?

0:17:51.760,0:17:52.260
Yes.

0:17:52.260,0:17:54.530
And then we decide[br]the procedure.

0:17:54.530,0:17:57.910
So if you notice, I started[br]with the baseline of the system,

0:17:57.910,0:17:59.200
like I want a password.

0:17:59.200,0:18:02.170
Is a minimum I need a[br]password in any system.

0:18:02.170,0:18:05.890
I want antivirus and I want[br]for the system security.

0:18:05.890,0:18:07.580
Now with the[br]reference of password,

0:18:07.580,0:18:11.470
I decided I will use eight[br]character as a minimum password

0:18:11.470,0:18:12.380
in the system.

0:18:12.380,0:18:14.890
And then I will create[br]a detailed procedure

0:18:14.890,0:18:15.890
how to do that.

0:18:15.890,0:18:18.790
So baseline come with the[br]standard and procedure

0:18:18.790,0:18:21.910
policy come with the[br]standard and procedure.

0:18:21.910,0:18:24.620
So you must be familiar[br]with the security baseline.

0:18:24.620,0:18:26.690
And whenever you[br]conducting an audit,

0:18:26.690,0:18:28.220
you can adopt the baseline.

0:18:28.220,0:18:29.890
As per that, you[br]can able to conduct

0:18:29.890,0:18:31.450
the audit in the organization.

0:18:31.450,0:18:36.220
And any kind of a deviation you[br]identified from what is agreed

0:18:36.220,0:18:39.070
and what is there, you can[br]document that as a finding.

0:18:39.070,0:18:42.040
So what is the best[br]practice we follow?

0:18:42.040,0:18:46.120
So standard for security may[br]be defined at a generic level,

0:18:46.120,0:18:50.680
then for a specific machines,[br]or for a specific application

0:18:50.680,0:18:52.450
system.

0:18:52.450,0:18:55.510
So let's move to the next part.

0:18:55.510,0:18:59.830
Next section is a very important[br]section in Domain 5, privacy.

0:18:59.830,0:19:02.110
First of all, let me[br]explain you the difference

0:19:02.110,0:19:08.950
between the privacy and secrecy.

0:19:08.950,0:19:15.005
Privacy deal with the[br]individual and secrecy

0:19:15.005,0:19:16.130
deal with the organization.

0:19:16.130,0:19:17.547
That's why in the[br]organization you

0:19:17.547,0:19:20.260
have seen the top secret,[br]secret, and all that.

0:19:20.260,0:19:22.100
See, when the law[br]was introduced,

0:19:22.100,0:19:25.540
law introduced to protect[br]the interest of the people.

0:19:25.540,0:19:28.840
Now in different,[br]different business sectors,

0:19:28.840,0:19:30.710
we have different industries.

0:19:30.710,0:19:36.640
Example, in India, we have[br]a food, we have a insurance,

0:19:36.640,0:19:38.920
we have a bank.

0:19:38.920,0:19:42.380
Now, if you want to start any[br]kind of a insurance business,

0:19:42.380,0:19:44.360
I need to comply with the IRDA.

0:19:44.360,0:19:45.080
So what is this?

0:19:45.080,0:19:45.950
This is the agency.

0:19:45.950,0:19:48.010
This is the[br]regulation authority.

0:19:48.010,0:19:49.840
And similar thing,[br]if I want to start

0:19:49.840,0:19:51.790
any kind of a food[br]services, I need

0:19:51.790,0:19:54.820
to be comply with the FSSAI.

0:19:54.820,0:19:57.790
So regulation[br]authorities are basically

0:19:57.790,0:20:01.360
introduced in every country to[br]control a respective industries

0:20:01.360,0:20:04.450
and to make sure that business[br]should be comply under the law

0:20:04.450,0:20:05.020
parameter.

0:20:05.020,0:20:06.170
Compliance is nothing.

0:20:06.170,0:20:08.860
It is all about act of abiding.

0:20:08.860,0:20:12.340
So privacy is the[br]utmost priority

0:20:12.340,0:20:14.920
in every organization[br]because directly

0:20:14.920,0:20:16.990
map with the individual.

0:20:16.990,0:20:21.470
So privacy significant[br]aspect for the IS auditor

0:20:21.470,0:20:23.900
also, especially in the light[br]of the global regulations,

0:20:23.900,0:20:25.560
such as GDPR.

0:20:25.560,0:20:29.010
GDPR basically is a national[br]privacy regulation of EU,

0:20:29.010,0:20:32.550
but US does not have a[br]national privacy regulation.

0:20:32.550,0:20:34.010
They have an industry-specific.

0:20:34.010,0:20:36.780
Example, they have a--[br]for the health sector,

0:20:36.780,0:20:37.550
they have a HIPAA.

0:20:37.550,0:20:40.385
For the finance,[br]they have a GLBA.

0:20:40.385,0:20:42.500
So this kind of[br]regulations we have.

0:20:42.500,0:20:46.850
So to understand what is[br]the level of privacy we need

0:20:46.850,0:20:50.420
in the organization or what is[br]the level of privacy control

0:20:50.420,0:20:54.500
we need in the systems, we[br]perform the PIA, privacy impact

0:20:54.500,0:20:55.110
assessment.

0:20:55.110,0:20:58.760
And based on that, we implement[br]the privacy management system

0:20:58.760,0:21:00.030
in the organization.

0:21:00.030,0:21:01.560
So what is a good practice?

0:21:01.560,0:21:04.400
So if I say my organization--

0:21:04.400,0:21:06.290
OK, if I say my[br]organization need

0:21:06.290,0:21:09.590
to be comply with GDPR, example.

0:21:09.590,0:21:11.880
So I need to comply[br]with the GDPR.

0:21:11.880,0:21:15.120
So what I need to do first[br]is I need to create a policy.

0:21:15.120,0:21:18.360
So by the policy, I can[br]comply my people, process,

0:21:18.360,0:21:20.790
and technology to[br]be with the GDPR.

0:21:20.790,0:21:21.290
How?

0:21:21.290,0:21:24.960
See, I cannot go to each and[br]every individual and process,

0:21:24.960,0:21:28.280
and technology and explain[br]about the GDPR articles.

0:21:28.280,0:21:31.920
So what we did, we include[br]the GDPR information.

0:21:31.920,0:21:33.740
So we translate the[br]GDPR information

0:21:33.740,0:21:35.760
as an intent in the policies.

0:21:35.760,0:21:38.760
And then I enforce the[br]policy in the organization.

0:21:38.760,0:21:41.700
So where people process[br]technology need to be comply.

0:21:41.700,0:21:44.960
So by comply with the[br]privacy, you automatically

0:21:44.960,0:21:46.500
comply with the GDPR.

0:21:46.500,0:21:49.970
So this is how you can able to[br]bring the privacy best practices

0:21:49.970,0:21:52.050
uniformity in the organization.

0:21:52.050,0:21:53.570
That's why we say[br]policy is the best

0:21:53.570,0:21:56.640
tool to be compliant with[br]any regulatory requirement.

0:21:56.640,0:21:58.820
And that is why senior[br]management intentions

0:21:58.820,0:22:01.170
comes in the policy only.

0:22:01.170,0:22:05.760
So privacy has some good[br]practices that must be follow,

0:22:05.760,0:22:08.330
like private data should[br]be collected fairly

0:22:08.330,0:22:09.990
in a open, transparent manner.

0:22:09.990,0:22:14.510
So if I say this organization is[br]following the effective privacy

0:22:14.510,0:22:17.160
practice or they have a[br]good privacy practice,

0:22:17.160,0:22:20.000
how to check that is they[br]collect the data fairly,

0:22:20.000,0:22:21.210
open, transparent manner.

0:22:21.210,0:22:23.180
Example you visit[br]one website which

0:22:23.180,0:22:25.350
say how are they[br]going to use the data.

0:22:25.350,0:22:28.670
They are going to explain[br]about how they are basically

0:22:28.670,0:22:29.520
managing data.

0:22:29.520,0:22:32.030
So that shows their[br]privacy best practice.

0:22:32.030,0:22:35.750
And private data or privacy[br]data should be kept securely

0:22:35.750,0:22:37.550
throughout the lifecycle,[br]from the creation

0:22:37.550,0:22:39.180
phase to the destruction.

0:22:39.180,0:22:40.940
And the third most[br]important thing

0:22:40.940,0:22:43.350
is that your private[br]data should be accurate,

0:22:43.350,0:22:47.310
it should be complete, and[br]it should be up to date.

0:22:47.310,0:22:49.440
OK, so to best meet[br]this challenge,

0:22:49.440,0:22:50.930
management should[br]perform the PIA,

0:22:50.930,0:22:54.000
and IS auditor can ask for[br]the last review report.

0:22:54.000,0:22:57.080
This is how as an auditor[br]can able to validate

0:22:57.080,0:23:02.210
as the company is compliance[br]with any privacy practices.

0:23:02.210,0:23:06.840
With the continuation[br]of the previous series,

0:23:06.840,0:23:09.745
so this is the second[br]part of the Domain 5.

0:23:09.745,0:23:11.120
And in this section,[br]we are going

0:23:11.120,0:23:16.040
to discuss about physical access[br]and environmental control.

0:23:16.040,0:23:17.750
Physical access[br]environmental control

0:23:17.750,0:23:20.500
is another important topic[br]we have in our Domain 5,

0:23:20.500,0:23:23.040
and it is a bit difficult[br]for the people who

0:23:23.040,0:23:25.050
are from a non-IT background.

0:23:25.050,0:23:28.450
So as an IS auditor, you need[br]to evaluate these controls.

0:23:28.450,0:23:30.540
And in many organizations,[br]these controls

0:23:30.540,0:23:33.190
are designed and implemented[br]by the facility management,

0:23:33.190,0:23:36.690
not by the information[br]security manager IT.

0:23:36.690,0:23:39.360
One example I can give you[br]about the physical access

0:23:39.360,0:23:42.640
and environmental control is[br]HVAC system, heat, ventilation,

0:23:42.640,0:23:45.362
air conditioning.

0:23:45.362,0:23:47.650
You have seen the AC[br]in your facilities.

0:23:47.650,0:23:50.740
It is control from a system.

0:23:50.740,0:23:53.100
We have a AC in the[br]data center also,

0:23:53.100,0:23:55.950
cooling system in the[br]data center, which

0:23:55.950,0:23:58.980
is used to maintain the optimum[br]temperature by which we can

0:23:58.980,0:24:02.010
able to maintain the[br]performance of the hardware

0:24:02.010,0:24:03.900
because excessive[br]heating of the hardware

0:24:03.900,0:24:05.380
will impact the performance.

0:24:05.380,0:24:07.570
So what controls we required?

0:24:07.570,0:24:09.730
OK, that we need[br]to understand here.

0:24:09.730,0:24:11.670
As an auditor, I[br]will first obtain

0:24:11.670,0:24:13.720
the approved list of controls.

0:24:13.720,0:24:16.862
And then I will assess[br]the existing control based

0:24:16.862,0:24:18.070
on that particular parameter.

0:24:18.070,0:24:20.390
And any kind of a[br]gap we identify,

0:24:20.390,0:24:22.760
we will document[br]that as a finding.

0:24:22.760,0:24:25.600
So in this, when you're talking[br]about the generic controls,

0:24:25.600,0:24:27.530
we have a three[br]type of controls.

0:24:27.530,0:24:29.690
One is called as a[br]managerial control.

0:24:29.690,0:24:32.420
It is also called as an[br]administrative control.

0:24:32.420,0:24:35.570
Then we have a technical, then[br]we have a physical control.

0:24:35.570,0:24:40.430
Managerial control is more like[br]a direction, more like a order.

0:24:40.430,0:24:42.820
Example like[br]post-COVID, the company

0:24:42.820,0:24:48.850
has announced that you have[br]to join office from January

0:24:48.850,0:24:52.760
and everyone must come with[br]their vaccination certificate.

0:24:52.760,0:24:54.760
So this is a kind[br]of an order, which

0:24:54.760,0:24:57.110
is used to control the[br]behavior of the people.

0:24:57.110,0:24:58.720
Now people know[br]that, OK, we need

0:24:58.720,0:25:01.070
to have that COVID[br]vaccination certificate.

0:25:01.070,0:25:03.440
Then only we can able[br]to come to the facility.

0:25:03.440,0:25:07.450
So it is like a control[br]to monitor and improve

0:25:07.450,0:25:08.750
the behavior of the people.

0:25:08.750,0:25:11.110
One more example of an[br]administrative control

0:25:11.110,0:25:14.420
is without vaccination[br]certificate,

0:25:14.420,0:25:15.847
no one is entered[br]into the office.

0:25:15.847,0:25:17.680
No one is supposed to[br]enter into the office.

0:25:17.680,0:25:19.240
So it's a company announcement.

0:25:19.240,0:25:21.840
So it is more like a[br]managerial control.

0:25:21.840,0:25:23.903
Second, we have a[br]technical control.

0:25:23.903,0:25:25.320
The technical[br]control is something

0:25:25.320,0:25:27.020
which is technical in nature.

0:25:27.020,0:25:28.330
Example, firewall.

0:25:28.330,0:25:33.370
Now it's not something you[br]pick every packet and inspect.

0:25:33.370,0:25:33.910
No, right?

0:25:33.910,0:25:37.690
So there is a tool involved in[br]which we have created a rules.

0:25:37.690,0:25:40.410
And based on the rule, the[br]tool will capture and block

0:25:40.410,0:25:40.960
the packet.

0:25:40.960,0:25:42.690
So there is a technical[br]control there.

0:25:42.690,0:25:46.420
Function is involved to[br]block or detect the attacks.

0:25:46.420,0:25:47.770
Then we have a physical control.

0:25:47.770,0:25:49.860
Physical control is[br]like a physical lock.

0:25:49.860,0:25:50.410
OK.

0:25:50.410,0:25:53.620
Placement of a security guard[br]which try to block physically.

0:25:53.620,0:25:55.943
So we have a three[br]type of controls.

0:25:55.943,0:25:57.610
See, when you're[br]talking about controls,

0:25:57.610,0:26:00.300
control may be[br]proactive, which means

0:26:00.300,0:26:02.890
they can attempt to[br]prevent an incident,

0:26:02.890,0:26:05.430
and it can be[br]reactive, which allow

0:26:05.430,0:26:09.340
the detection, containment,[br]and recovery from an incident.

0:26:09.340,0:26:15.180
So proactive control are called[br]as a safeguard and reactive

0:26:15.180,0:26:17.860
control are called[br]as a countermeasures.

0:26:17.860,0:26:21.070


0:26:21.070,0:26:21.570
Sorry.

0:26:21.570,0:26:30.510


0:26:30.510,0:26:31.060
OK.

0:26:31.060,0:26:35.250
So that is basically[br]called as a countermeasure.

0:26:35.250,0:26:37.590
So we have two type of controls.

0:26:37.590,0:26:40.470
Example like before going--

0:26:40.470,0:26:43.000
protect from COVID and all[br]that we have vaccinations.

0:26:43.000,0:26:45.760
So that is basically called[br]as a proactive control.

0:26:45.760,0:26:48.630
But if vaccination[br]become ineffective,

0:26:48.630,0:26:52.410
you got impacted with the[br]COVID, the reactive control

0:26:52.410,0:26:53.970
is isolate yourself[br]from the family

0:26:53.970,0:26:57.160
and then you can go for the[br]14 days period of containment.

0:26:57.160,0:27:00.960
So this is how we have a[br]proactive and reactive.

0:27:00.960,0:27:03.510
So next point is called[br]as a control monitoring

0:27:03.510,0:27:04.420
and effectiveness.

0:27:04.420,0:27:06.810
Just implementing[br]a control will not

0:27:06.810,0:27:08.440
achieve the defined objectives.

0:27:08.440,0:27:10.800
We need to also need to[br]check whether control

0:27:10.800,0:27:11.970
is working effectively.

0:27:11.970,0:27:14.750
It is same like we just[br]hire the security guard

0:27:14.750,0:27:17.700
and now we trust that guard[br]that he going to block everyone.

0:27:17.700,0:27:18.260
No.

0:27:18.260,0:27:22.010
We also see how effectively he[br]responding to all the threats

0:27:22.010,0:27:22.710
and everything.

0:27:22.710,0:27:24.800
Same like when we[br]configure the firewall

0:27:24.800,0:27:26.730
and simply creating a[br]rules in the firewall

0:27:26.730,0:27:27.980
it doesn't meet my objectives.

0:27:27.980,0:27:30.530
On a regular basis, we[br]need to test the firewalls

0:27:30.530,0:27:33.020
by sending a malformed[br]packets and see whether it

0:27:33.020,0:27:34.860
can able to detect and block.

0:27:34.860,0:27:38.370
So as a controller design[br]implemented and operated,

0:27:38.370,0:27:41.600
IS auditor should ensure the[br]logs are enabled because that

0:27:41.600,0:27:46.062
is how you can able to track the[br]effectiveness of the controls.

0:27:46.062,0:27:48.020
And we also need to[br]ensure as an auditor

0:27:48.020,0:27:51.180
we need to ensure they are[br]testing on a regular basis.

0:27:51.180,0:27:51.720
OK.

0:27:51.720,0:27:53.845
And the procedure should[br]be developed by which they

0:27:53.845,0:27:55.110
can able to test effectively.

0:27:55.110,0:27:57.410
And as an IS auditor[br]should also ensure

0:27:57.410,0:27:59.960
they should have a capability[br]to monitor the controls

0:27:59.960,0:28:03.213
and support the monitoring[br]system in the control design.

0:28:03.213,0:28:06.920


0:28:06.920,0:28:10.070
Next thing is called as a[br]environmental exposures.

0:28:10.070,0:28:13.240
See, environmental[br]exposures are due primarily

0:28:13.240,0:28:16.090
to the naturally occurring[br]events, such as lightning,

0:28:16.090,0:28:20.750
storms, earthquake, volcanic[br]eruptions, hurricanes,

0:28:20.750,0:28:23.300
and extreme weather conditions.

0:28:23.300,0:28:26.800
So one particular[br]area of concern,

0:28:26.800,0:28:29.410
which is coming from an[br]environmental exposure,

0:28:29.410,0:28:31.730
is called as a[br]damage of equipments.

0:28:31.730,0:28:33.560
Right now I'm doing[br]this training.

0:28:33.560,0:28:35.920
Suddenly there is a power[br]issue and it directly

0:28:35.920,0:28:37.160
impacts my hardware.

0:28:37.160,0:28:41.260
And because of that, my system[br]get shut down or it get restart,

0:28:41.260,0:28:42.380
or it can damage.

0:28:42.380,0:28:46.150
So as an auditor, the[br]biggest concern for us

0:28:46.150,0:28:48.140
is the damaging[br]of an equipments,

0:28:48.140,0:28:49.970
because if the[br]equipment is damaged,

0:28:49.970,0:28:52.370
then it directly impact[br]the availability.

0:28:52.370,0:28:54.970
We have a different kind[br]of a threats associated

0:28:54.970,0:28:58.460
with the hardware equipment,[br]like total failure,

0:28:58.460,0:29:00.980
voltage reduce, spike, surge.

0:29:00.980,0:29:02.830
So that's why we purchase[br]one system, which

0:29:02.830,0:29:05.560
is called as a PCS, power[br]conditioning system.

0:29:05.560,0:29:07.790
In your home, we[br]called as a stabilizer,

0:29:07.790,0:29:10.220
which is used to stable[br]the power supply.

0:29:10.220,0:29:12.760
Along with that, we must[br]require the UPS and generator

0:29:12.760,0:29:16.400
to prevent all the[br]uninterrupted interruptions.

0:29:16.400,0:29:19.060
So these kind of controls[br]you can basically

0:29:19.060,0:29:23.290
introduce to prevent this[br]environmental exposures.

0:29:23.290,0:29:26.590
The next important thing is[br]called as a physical access

0:29:26.590,0:29:29.740
exposures and control from[br]the auditing perspective.

0:29:29.740,0:29:33.400
We also buy a alarm[br]control panels--

0:29:33.400,0:29:36.050
so we also buy alarm[br]control panels,

0:29:36.050,0:29:38.740
which is separated from[br]a burglars or security

0:29:38.740,0:29:41.150
system, which is[br]located on the premises.

0:29:41.150,0:29:44.320
We also go for the[br]smoke detectors.

0:29:44.320,0:29:46.113
We have a smoke detector.

0:29:46.113,0:29:50.740


0:29:50.740,0:29:54.050
It gives the early[br]warning of the smoke.

0:29:54.050,0:29:56.060
So this is the smoke[br]detector we have.

0:29:56.060,0:30:00.010
If there is a smoke in the[br]room, it get alert and notify

0:30:00.010,0:30:02.200
the concerned person.

0:30:02.200,0:30:02.990
OK.

0:30:02.990,0:30:06.762
So detector should produce the[br]audible alarm when activated.

0:30:06.762,0:30:09.220
It should be linked to the[br]monitoring system, but make sure

0:30:09.220,0:30:11.560
this monitoring should[br]be separate from the fire

0:30:11.560,0:30:12.380
department.

0:30:12.380,0:30:14.620
We also need a[br]visual verification

0:30:14.620,0:30:17.440
of the presence of water[br]and smoke detectors

0:30:17.440,0:30:18.800
in the computer rooms.

0:30:18.800,0:30:21.430
I'm sure you have seen the[br]buckets in a red color.

0:30:21.430,0:30:26.320
We also need a hand[br]pull fire alarms that

0:30:26.320,0:30:28.790
should be placed strategically[br]throughout the facilities,

0:30:28.790,0:30:30.700
and it should be[br]placed in such a manner

0:30:30.700,0:30:32.330
that it should give[br]the visibility.

0:30:32.330,0:30:33.800
That's an important thing.

0:30:33.800,0:30:37.150
And that also, that[br]fire extinguisher

0:30:37.150,0:30:41.270
should be tagged for inspection[br]and inspected at least annually.

0:30:41.270,0:30:45.670
So as an auditor, if you want[br]to audit extinguishers and all

0:30:45.670,0:30:47.570
that can check the[br]last review period.

0:30:47.570,0:30:49.820
If it's basically exceed[br]by more than one year,

0:30:49.820,0:30:52.700
then you can raise that as[br]a finding in your report.

0:30:52.700,0:30:57.500
But before that, confirm why it[br]got late, why there is a delay.

0:30:57.500,0:31:02.230
But one more important thing[br]as a auditor, testing fire

0:31:02.230,0:31:03.850
suppression system[br]is also expensive.

0:31:03.850,0:31:06.500
The fire suppression system,[br]it's always expensive to test.

0:31:06.500,0:31:08.870
And therefore, as[br]an IS auditor, they

0:31:08.870,0:31:10.670
need to limit their[br]test to review

0:31:10.670,0:31:13.070
the documentations[br]to ensure system

0:31:13.070,0:31:16.850
has been inspected and[br]tested within the last year.

0:31:16.850,0:31:18.950
We also have a different[br]kind of controls,

0:31:18.950,0:31:24.170
like we need a biometric,[br]something you are--

0:31:24.170,0:31:26.390
OK, we can place[br]because that provide

0:31:26.390,0:31:29.260
the appropriate type of[br]accountability in the data

0:31:29.260,0:31:29.760
center.

0:31:29.760,0:31:32.270
Because in data center, if you[br]just access the data center

0:31:32.270,0:31:33.860
based on your ID[br]card and all that,

0:31:33.860,0:31:36.155
tomorrow you can[br]deny it was not you

0:31:36.155,0:31:37.890
who accessed the data center.

0:31:37.890,0:31:40.310
You can tell him that,[br]OK, I misplaced my card

0:31:40.310,0:31:43.370
and everything, so might[br]be in my absence someone

0:31:43.370,0:31:45.480
has used the card and[br]accessed the data center.

0:31:45.480,0:31:49.020
So data center need to prefer[br]the strongest accountability,

0:31:49.020,0:31:53.790
and that is why we need a[br]biometric in the data center.

0:31:53.790,0:31:56.180
But when you're talking[br]about the biometric,

0:31:56.180,0:31:59.430
the biometric is vulnerable[br]for the two errors.

0:31:59.430,0:32:04.430
One is called as a FAR and[br]one is called as a FRR.

0:32:04.430,0:32:07.850
False acceptance[br]rate, where false user

0:32:07.850,0:32:08.993
accepted by the machine.

0:32:08.993,0:32:10.410
Example, I am not[br]authorized user,

0:32:10.410,0:32:12.690
but machine has accepted[br]me as an authorized.

0:32:12.690,0:32:15.870
It has happened sometime when[br]I try to mimic someone voice.

0:32:15.870,0:32:18.940
They assume it is actually[br]authorized user and give me

0:32:18.940,0:32:19.440
access.

0:32:19.440,0:32:21.630
That is called as a[br]false acceptance rate.

0:32:21.630,0:32:23.570
It is a biggest[br]concern for an auditor.

0:32:23.570,0:32:27.590
And false rejection rate where[br]the authorized user falsely

0:32:27.590,0:32:28.920
rejected by the machine.

0:32:28.920,0:32:33.650
Example, like-- example, like[br]I came back from the office

0:32:33.650,0:32:36.210
and I was wearing[br]gloves and all that.

0:32:36.210,0:32:38.490
My hands are completely[br]dry and all that.

0:32:38.490,0:32:42.840
So when I'm trying to place my[br]fingers or thumb on the scanner,

0:32:42.840,0:32:44.160
it has failed to recognize.

0:32:44.160,0:32:46.500
So this is basically[br]because of FRR.

0:32:46.500,0:32:50.060
So the point where FAR and[br]FRR basically intersect,

0:32:50.060,0:32:51.870
that is the best optimum point.

0:32:51.870,0:32:57.290
So that is the most important[br]thing we need to consider.

0:32:57.290,0:32:59.900
Another important point[br]that we need to understand

0:32:59.900,0:33:01.290
is security guards.

0:33:01.290,0:33:05.810
Security guards are very useful[br]if supplemental by the video

0:33:05.810,0:33:07.560
cameras and lock doors.

0:33:07.560,0:33:11.420
So guards should be supplied[br]by an external agency that

0:33:11.420,0:33:13.310
should be bonded to[br]protect the organization

0:33:13.310,0:33:14.640
from all kind of losses.

0:33:14.640,0:33:17.060
We don't hire the[br]in-house security guards

0:33:17.060,0:33:19.500
because this is how[br]frauds are possible.

0:33:19.500,0:33:22.620
So we outsource a third-party[br]agencies which hire them,

0:33:22.620,0:33:26.180
and this is how we separate[br]the job activities.

0:33:26.180,0:33:29.570
So let's move to the next part.

0:33:29.570,0:33:33.050
The next section is called[br]as the identity and access

0:33:33.050,0:33:33.810
management.

0:33:33.810,0:33:37.700
See, we have IAAA,[br]identification, authentication,

0:33:37.700,0:33:39.170
and authorization.

0:33:39.170,0:33:48.410
Identification, authentication,[br]and authorization.

0:33:48.410,0:33:50.290
Suppose I went to airport.

0:33:50.290,0:33:53.210


0:33:53.210,0:33:55.700
I went to airport and I[br]say, hey, my name is Prabh,

0:33:55.700,0:33:58.560
and I'm traveling from[br]Trivandrum to Delhi.

0:33:58.560,0:34:01.140
So they will check[br]my name in the list.

0:34:01.140,0:34:03.750
Yes, they confirm[br]my name in the list.

0:34:03.750,0:34:05.630
But they also need[br]to confirm, is it

0:34:05.630,0:34:07.440
a same Prabh who claimed to be?

0:34:07.440,0:34:09.090
I will show my Aadhaar card.

0:34:09.090,0:34:12.650
I will show my PAN[br]card that basically

0:34:12.650,0:34:14.185
prove, yes, I am Prabh.

0:34:14.185,0:34:15.810
So that is called as[br]an authentication,

0:34:15.810,0:34:17.090
the person who claimed to be.

0:34:17.090,0:34:19.520
And based on that,[br]they give me the access

0:34:19.520,0:34:23.330
to a specific seat, that is[br]called as an authorization.

0:34:23.330,0:34:29.060
Under the authorization, we[br]also use the access control.

0:34:29.060,0:34:31.199
So we have a different[br]type of access control.

0:34:31.199,0:34:34.260
But in CISA, they talk about[br]two type of access control.

0:34:34.260,0:34:36.659
One is called as a mandatory[br]and one is called DAC.

0:34:36.659,0:34:38.389
What is DAC?

0:34:38.389,0:34:41.659
DAC stands for[br]discretionary, which is also

0:34:41.659,0:34:43.036
called as a distribution.

0:34:43.036,0:34:46.774


0:34:46.774,0:34:49.370
Before marriage,[br]my life, my rule.

0:34:49.370,0:34:53.010
Same like that, which is called[br]as a distributed access control.

0:34:53.010,0:34:55.010
What is the meaning[br]of that is, suppose

0:34:55.010,0:34:57.940
this is the system we[br]have, system A. OK.

0:34:57.940,0:35:03.820
So we have a user 1, we have a[br]user 2, and we have a user 3.

0:35:03.820,0:35:07.930
User 1 login into the system[br]and he create a folder,

0:35:07.930,0:35:10.390
but he deny user 2 and user 3.

0:35:10.390,0:35:14.370
User 2 login into the folder,[br]user login to the system,

0:35:14.370,0:35:15.610
and he create a folder.

0:35:15.610,0:35:17.680
He deny user 1 and user 3.

0:35:17.680,0:35:20.490
User 3 login into the[br]system, he create a folder,

0:35:20.490,0:35:22.590
and he deny other two.

0:35:22.590,0:35:24.700
So same your[br]workgroup environment.

0:35:24.700,0:35:28.180
When you login into your laptop[br]or desktop, you create a folder.

0:35:28.180,0:35:30.720
You deny your family member.

0:35:30.720,0:35:33.697
One of your family member has[br]access to that particular system

0:35:33.697,0:35:35.530
and they create the[br]folder, they deny other.

0:35:35.530,0:35:38.190
So this is called as a[br]discretionary, distributed

0:35:38.190,0:35:40.620
access control, where[br]the multiple parties are

0:35:40.620,0:35:43.418
involved in giving an[br]authorizing access.

0:35:43.418,0:35:45.210
But when we're talking[br]about the mandatory,

0:35:45.210,0:35:49.210
it is a default system access[br]used in a military and all that.

0:35:49.210,0:35:51.310
And the best example[br]is in your windows,

0:35:51.310,0:35:53.640
if you really want[br]to modify the CMD

0:35:53.640,0:35:55.830
or you want to access[br]any application,

0:35:55.830,0:35:57.670
you need to run as[br]an administrator.

0:35:57.670,0:35:58.812
That is a mandatory thing.

0:35:58.812,0:36:00.270
So it's an access[br]control, which is

0:36:00.270,0:36:02.710
default embedded in the system.

0:36:02.710,0:36:04.950
And that is called as[br]a centralized access

0:36:04.950,0:36:07.720
control, which is also[br]called as an NDAC.

0:36:07.720,0:36:10.330
So MAC is a system-based access.

0:36:10.330,0:36:12.030
They have a predefined logics.

0:36:12.030,0:36:14.740
In CMD, if you want to[br]perform some admin command,

0:36:14.740,0:36:16.440
you need to run as a CMD.

0:36:16.440,0:36:18.390
In the Linux, if[br]you want to perform

0:36:18.390,0:36:21.760
any kind of a admin activity,[br]you need to run sudo command.

0:36:21.760,0:36:24.750
It is a mandatory[br]access control.

0:36:24.750,0:36:28.260
So when you're talking[br]about authentication,

0:36:28.260,0:36:31.660
authentication basically[br]has a three factors.

0:36:31.660,0:36:33.870
Something you know, which[br]is your password, which

0:36:33.870,0:36:36.640
is easy to compromise;[br]something you have,

0:36:36.640,0:36:39.850
which is called as a ownership,[br]and something you are,

0:36:39.850,0:36:42.280
which is a biometric, and[br]somewhere you are nowadays.

0:36:42.280,0:36:46.120
So token device and one-time[br]password is something you have,

0:36:46.120,0:36:47.500
which is called as a ownership.

0:36:47.500,0:36:49.330
Next is called as[br]a single sign-on.

0:36:49.330,0:36:50.970
Single sign-on means[br]you log in once

0:36:50.970,0:36:53.070
and access the[br]multiple resources.

0:36:53.070,0:36:55.085
An example, imagine like--

0:36:55.085,0:36:57.660


0:36:57.660,0:37:00.460
when you're talking about a[br]single sign-on, one example

0:37:00.460,0:37:01.870
we have about Gmail.

0:37:01.870,0:37:05.200
So you open the gmail.com,[br]you log in to the Gmail,

0:37:05.200,0:37:10.167
and from there, you open[br]doc, D-O-C, dot google.com.

0:37:10.167,0:37:11.500
It doesn't ask for the password.

0:37:11.500,0:37:12.730
Then you type YouTube.

0:37:12.730,0:37:14.080
It doesn't ask for the password.

0:37:14.080,0:37:15.207
Then you type any document.

0:37:15.207,0:37:16.540
It doesn't ask for the password.

0:37:16.540,0:37:18.490
When you open Drive, it[br]doesn't ask for the password.

0:37:18.490,0:37:20.560
So that is the best[br]example of single sign-on.

0:37:20.560,0:37:22.050
You need to authenticate once.

0:37:22.050,0:37:24.930
And based on that, you can able[br]to access any number of services

0:37:24.930,0:37:25.840
of a Gmail.

0:37:25.840,0:37:29.230
But single sign-on is a concept[br]we use within a one domain.

0:37:29.230,0:37:31.410
But federation, I'm[br]sorry for the spelling.

0:37:31.410,0:37:32.060
In hurry.

0:37:32.060,0:37:32.560
I'm sorry.

0:37:32.560,0:37:34.090
I can correct that.

0:37:34.090,0:37:37.380
So federation is basically where[br]you authenticate with one domain

0:37:37.380,0:37:38.650
and access the other domain.

0:37:38.650,0:37:41.400
So federation we use[br]between the two companies,

0:37:41.400,0:37:42.840
between the two domain.

0:37:42.840,0:37:57.610
Example like we have a[br]booking.com and we have a Gmail.

0:37:57.610,0:38:02.470
I'm sure you have noticed[br]user went to booking.com.

0:38:02.470,0:38:04.700
Now booking.com[br]giving him option,

0:38:04.700,0:38:07.160
log in with your[br]Google ID or sign up.

0:38:07.160,0:38:11.260
Definitely to save time, I will[br]select login with the Gmail ID.

0:38:11.260,0:38:13.990
So booking.com redirect[br]user to the Gmail.

0:38:13.990,0:38:16.390
To the Gmail, I will[br]basically provide my username

0:38:16.390,0:38:19.090
and password, and against that[br]Gmail provide the authorization

0:38:19.090,0:38:22.180
ticket, and that authentication[br]ticket or authorization ticket

0:38:22.180,0:38:24.430
I will provide to Booking,[br]which confirm, yes, you are

0:38:24.430,0:38:25.690
the authorized user of Gmail.

0:38:25.690,0:38:28.130
And based on that booking.com,[br]provide the resource.

0:38:28.130,0:38:31.210
So in this case, Gmail[br]is the identity provider

0:38:31.210,0:38:34.150
who verify your identity[br]and booking.com is

0:38:34.150,0:38:36.290
a service provider who[br]provide you services.

0:38:36.290,0:38:43.010
So federation is basically used[br]across the multiple systems.

0:38:43.010,0:38:45.520
Biometric establish[br]the strongest form

0:38:45.520,0:38:47.540
of accountability,[br]which cannot be spoofed.

0:38:47.540,0:38:49.610
So we have a two scanners.

0:38:49.610,0:38:50.580
One is called retina.

0:38:50.580,0:38:53.380


0:38:53.380,0:38:57.250
And we have a second[br]is called as a iris.

0:38:57.250,0:39:03.970
Iris is-- so when you're[br]talking about retina,

0:39:03.970,0:39:06.650
retina scan the blood[br]vessel of your eyes.

0:39:06.650,0:39:12.100
OK, very accurate, but difficult[br]to implement because it has

0:39:12.100,0:39:14.950
acceptance issues,[br]whereas the iris

0:39:14.950,0:39:16.580
is accurate with acceptance.

0:39:16.580,0:39:18.410
If you ask me which[br]was more accurate,

0:39:18.410,0:39:20.350
retina is more accurate[br]because difficult

0:39:20.350,0:39:22.310
to spoof someone's[br]blood vessels.

0:39:22.310,0:39:26.200
But iris is a second[br]best accept and accurate.

0:39:26.200,0:39:28.550
When we are going for[br]the biometric solutions,

0:39:28.550,0:39:31.970
as an auditor, we also need[br]to check the privacy policy

0:39:31.970,0:39:35.050
because implementing a biometric[br]system in the organization

0:39:35.050,0:39:36.830
requires the user acceptance.

0:39:36.830,0:39:39.520
OK, so acceptance[br]for the solution

0:39:39.520,0:39:41.180
is very less in[br]the organization.

0:39:41.180,0:39:43.240
So we need to review the[br]data privacy policies

0:39:43.240,0:39:46.250
and see how they're going[br]to use the biometric data.

0:39:46.250,0:39:49.630
So let me explain you how the[br]biometric enrollment works.

0:39:49.630,0:39:51.860
So whenever you[br]register for biometric,

0:39:51.860,0:39:53.860
suppose this is the[br]scanner we have.

0:39:53.860,0:39:55.830
Suppose this is the[br]scanner we have.

0:39:55.830,0:39:59.380


0:39:59.380,0:40:04.130
So you place your fingers or you[br]place your thumb on the scanner.

0:40:04.130,0:40:10.300
Scanner will capture the image[br]and stored in a form of minutes.

0:40:10.300,0:40:11.800
Minutes we call it--

0:40:11.800,0:40:13.720
minutes or metrics we call.

0:40:13.720,0:40:17.800
Or you can say in[br]a form of template.

0:40:17.800,0:40:19.910
It store in a form of template.

0:40:19.910,0:40:22.180
So next time when[br]you place finger,

0:40:22.180,0:40:26.050
it basically scan and[br]generate that template

0:40:26.050,0:40:28.610
and compare against[br]the stored template.

0:40:28.610,0:40:29.870
If it match, it give access.

0:40:29.870,0:40:32.770
So this is-- they do like a[br]one-to-many or many-to-many

0:40:32.770,0:40:34.420
identification.

0:40:34.420,0:40:36.530
Next important[br]thing audit login.

0:40:36.530,0:40:38.890
It's very important[br]to log everything

0:40:38.890,0:40:41.810
by which we can able to[br]track the accountability.

0:40:41.810,0:40:44.330
So audit logging is[br]another important practice

0:40:44.330,0:40:45.580
we need to follow.

0:40:45.580,0:40:50.170
The next solution we have a[br]DLP, data leak prevention.

0:40:50.170,0:40:53.500
Ultimate objective of DLP[br]is to ensure data should not

0:40:53.500,0:40:55.720
live in an unauthorized manner.

0:40:55.720,0:40:59.920
You have seen a lot of employees[br]use their confidential data

0:40:59.920,0:41:02.540
and they try to send on[br]their public portals.

0:41:02.540,0:41:06.020
So we need to prevent[br]this data exfiltration.

0:41:06.020,0:41:07.960
Data exfiltration[br]definition means

0:41:07.960,0:41:12.550
data should not leave the[br]organization environment.

0:41:12.550,0:41:15.860
So we have a DLP here,[br]we have DLP here.

0:41:15.860,0:41:17.530
So example I connect[br]the pen drive

0:41:17.530,0:41:18.950
and trying to copy the data.

0:41:18.950,0:41:21.260
That is also data leaving[br]in an unauthorized manner,

0:41:21.260,0:41:23.530
but DLP there will try to block.

0:41:23.530,0:41:26.360
You opening a Gmail and try[br]to upload data on a Gmail.

0:41:26.360,0:41:28.670
So there is an endpoint[br]DLP or network-based DLP

0:41:28.670,0:41:30.170
will try to block the content.

0:41:30.170,0:41:34.730
So ultimate goal of a DLP is to[br]prevent the data exfiltration.

0:41:34.730,0:41:37.600
It is not a solution[br]introduced to monitor what is

0:41:37.600,0:41:39.120
coming from outside to inside.

0:41:39.120,0:41:39.620
No.

0:41:39.620,0:41:42.940
It is a solution which monitor[br]what is leaving the organization

0:41:42.940,0:41:43.910
data.

0:41:43.910,0:41:45.720
What is leaving the[br]organization control.

0:41:45.720,0:41:48.330
Because internal threat[br]is a difficult threat.

0:41:48.330,0:41:50.220
It's a concern for[br]the organization

0:41:50.220,0:41:54.700
and it is the biggest[br]threat for the organization.

0:41:54.700,0:42:00.620
The next thing we have network[br]and endpoint security, most

0:42:00.620,0:42:02.690
important section of Domain 5.

0:42:02.690,0:42:05.720
Now we have a different[br]type of circuits.

0:42:05.720,0:42:06.540
What is circuit?

0:42:06.540,0:42:10.040
Circuit is a link by which[br]we transfer the data.

0:42:10.040,0:42:12.782
So when you're talking about[br]circuit, the first circuit

0:42:12.782,0:42:14.490
they are talking about[br]dedicated circuit.

0:42:14.490,0:42:22.550
So we have a user A and we have[br]a user B. Same like the circuit

0:42:22.550,0:42:27.050
is a link which is basically[br]up between the two party.

0:42:27.050,0:42:30.065
And you send the data[br]through this link.

0:42:30.065,0:42:33.510
Another example is[br]you call your friend.

0:42:33.510,0:42:34.580
So what you have to do?

0:42:34.580,0:42:36.120
You need to dial his number.

0:42:36.120,0:42:39.630
And once you dial his number,[br]the link will be established.

0:42:39.630,0:42:40.860
And then you communicate.

0:42:40.860,0:42:43.500
And once it is done,[br]you basically discard.

0:42:43.500,0:42:45.060
But that is a circuit.

0:42:45.060,0:42:47.070
But that is not a dedicated.

0:42:47.070,0:42:48.630
It is a temporary circuit.

0:42:48.630,0:42:51.330
But dedicated circuit[br]is link is always up.

0:42:51.330,0:42:53.310
Whenever you dial,[br]it will be available.

0:42:53.310,0:42:55.410
Second is called as[br]a switch circuit.

0:42:55.410,0:42:58.040
Switch circuit I gave you the[br]example of the switch circuit

0:42:58.040,0:43:00.800
is you dial the person[br]number, you temporarily

0:43:00.800,0:43:03.380
establish the connection,[br]you are done, and you finish.

0:43:03.380,0:43:05.790
You are done with that and[br]you can discard the things.

0:43:05.790,0:43:08.270
So that is the difference[br]between the dedicated and switch

0:43:08.270,0:43:08.970
circuit.

0:43:08.970,0:43:11.190
We also have a packet[br]switching technology.

0:43:11.190,0:43:14.510
Packet switching technology[br]today is used in a 4G.

0:43:14.510,0:43:16.700
I am sure you have[br]seen the Jio, Airtel,

0:43:16.700,0:43:19.500
and all that offer the packet[br]switching technology only.

0:43:19.500,0:43:21.450
That is why if you[br]do the WhatsApp call,

0:43:21.450,0:43:23.600
it has a better quality[br]than the voice call

0:43:23.600,0:43:26.600
because packet switching[br]was primarily introduced

0:43:26.600,0:43:28.110
for the data transfer.

0:43:28.110,0:43:29.340
Let's take an example.

0:43:29.340,0:43:32.060
We have a system[br]A, we have a system

0:43:32.060,0:43:36.450
B. So this is my internet.

0:43:36.450,0:43:37.830
We have a routers here.

0:43:37.830,0:43:42.990
So what packet switching[br]does, we have a data here,

0:43:42.990,0:43:44.670
data divided into packets.

0:43:44.670,0:43:46.400
So some packets goes[br]through this route

0:43:46.400,0:43:48.650
and some packet goes[br]through this route.

0:43:48.650,0:43:52.430
And by end of the day, it[br]get delivered to the B.

0:43:52.430,0:43:55.620
It doesn't give assurance in[br]what state it basically receive,

0:43:55.620,0:43:57.180
but they just send the data.

0:43:57.180,0:43:59.390
That is where the packet[br]switching is primarily

0:43:59.390,0:44:02.610
designed for the data transfer,[br]not for the voice transfer.

0:44:02.610,0:44:04.680
That's why if you're[br]in your 4G phone,

0:44:04.680,0:44:07.680
you can see the V-O-L-T-E. OK.

0:44:07.680,0:44:10.500
And your landline, it's[br]not having a dial up tones.

0:44:10.500,0:44:11.730
It has some other tones.

0:44:11.730,0:44:15.140
So today your all[br]calls is basically

0:44:15.140,0:44:18.710
done through VoIP by using[br]a packet switching only.

0:44:18.710,0:44:21.530
You also need to understand[br]the different type of networks,

0:44:21.530,0:44:24.320
like LAN, which is basically[br]a group of computers

0:44:24.320,0:44:28.430
within the organization, a group[br]of system over the internet that

0:44:28.430,0:44:33.140
is called as a WAN, and access[br]the storage is called as a SAN.

0:44:33.140,0:44:37.080
DNS is a service which translate[br]name to IP and IP to name.

0:44:37.080,0:44:39.680
Let's take an example[br]of the smartphone.

0:44:39.680,0:44:42.530
It is difficult for you to[br]remember your friend's number.

0:44:42.530,0:44:45.380
So what you did, you saved the[br]friend's number with the name

0:44:45.380,0:44:49.230
because human mind remember[br]alphabets over the numbers.

0:44:49.230,0:44:51.930
So if I want to call[br]my friend Pankaj.

0:44:51.930,0:44:54.120
So I will type Pankaj Delhi.

0:44:54.120,0:44:57.295
So it will see by name and[br]it map with the number.

0:44:57.295,0:44:58.670
So automatically[br]dial the number.

0:44:58.670,0:45:01.650
Same like you open a[br]browser type google.com.

0:45:01.650,0:45:04.070
They send the request to[br]a specific server which

0:45:04.070,0:45:06.440
translate the name[br]to IP, and then it

0:45:06.440,0:45:09.030
will redirect you to the[br]particular web server,

0:45:09.030,0:45:09.630
like this way.

0:45:09.630,0:45:13.670
So we client and we[br]have a DNS server here.

0:45:13.670,0:45:16.350
And this is my web server.

0:45:16.350,0:45:18.630
So client has[br]requested google.com.

0:45:18.630,0:45:19.830
That request goes to DNS.

0:45:19.830,0:45:20.630
DNS said, no, boss.

0:45:20.630,0:45:23.490
Google.com on 1.1.1.1.

0:45:23.490,0:45:26.280
And this is how it[br]redirect to 1.1.1.

0:45:26.280,0:45:28.380
And then web server[br]provide the content.

0:45:28.380,0:45:31.580
So DNS is a service which[br]translate name to IP and IP

0:45:31.580,0:45:32.430
to name.

0:45:32.430,0:45:34.500
The next thing is[br]called as a DHCP.

0:45:34.500,0:45:37.100
DHCP is a service[br]which basically

0:45:37.100,0:45:40.210
provide the automated IP[br]address to all the systems.

0:45:40.210,0:45:42.910
It is difficult to manage[br]the IPs in every system.

0:45:42.910,0:45:45.390
So what I need, I want[br]a one centralized server

0:45:45.390,0:45:49.150
from where I need to assign the[br]IP address to all the clients.

0:45:49.150,0:45:52.240
The next important topic[br]is called as a topology.

0:45:52.240,0:45:55.190
Topology is provide the[br]layout of the network.

0:45:55.190,0:45:57.970
And then we have a media type.

0:45:57.970,0:46:00.300
So we have a twisted[br]pair and fiber optic.

0:46:00.300,0:46:02.010
Twisted pair are[br]twisted together

0:46:02.010,0:46:03.817
by which it reduces[br]the attenuation.

0:46:03.817,0:46:04.650
What is attenuation?

0:46:04.650,0:46:06.130
Is loss of signal.

0:46:06.130,0:46:10.710
Fiber optic is basically[br]providing a very effective

0:46:10.710,0:46:14.670
speed, and it is having a low[br]latency and better than twisted

0:46:14.670,0:46:18.240
pair to send the sensitive data.

0:46:18.240,0:46:22.210
So this is the first part[br]of this particular series.

0:46:22.210,0:46:24.900
I'm planning to make[br]another series next week

0:46:24.900,0:46:27.190
and we'll see what can be done.

0:46:27.190,0:46:29.500
This is just a first[br]part of the Domain 5.

0:46:29.500,0:46:32.820
If you find this video useful,[br]do share your feedback and do

0:46:32.820,0:46:34.830
let me know what are[br]the other videos should

0:46:34.830,0:46:36.160
I make on the CISA?

0:46:36.160,0:46:38.090
Thank you.