1 00:00:00,000 --> 00:00:03,339 [MUSIC PLAYING] 2 00:00:03,339 --> 00:00:07,160 3 00:00:07,160 --> 00:00:07,838 Hello, team. 4 00:00:07,838 --> 00:00:09,630 Good morning, good afternoon, good evening. 5 00:00:09,630 --> 00:00:11,060 And today we are going to discuss 6 00:00:11,060 --> 00:00:15,620 about CISA exam review, Domain 5, Protection of Information 7 00:00:15,620 --> 00:00:16,490 Asset. 8 00:00:16,490 --> 00:00:20,430 I already made one video on domain 1, part 1 and part two, 9 00:00:20,430 --> 00:00:22,860 and I got a great response on that video. 10 00:00:22,860 --> 00:00:25,160 And based on that, I thought, let's continue 11 00:00:25,160 --> 00:00:26,550 the series of that session. 12 00:00:26,550 --> 00:00:28,710 And that is why I have started with the Domain 5 13 00:00:28,710 --> 00:00:31,850 first because lot of CISA aspirants 14 00:00:31,850 --> 00:00:33,960 are bit struggling with the Domain 5. 15 00:00:33,960 --> 00:00:38,000 So with that state of mind, I am making this video. 16 00:00:38,000 --> 00:00:40,310 If you are new to this channel, do subscribe and click 17 00:00:40,310 --> 00:00:43,230 on the bell icon so you should not miss any of my videos. 18 00:00:43,230 --> 00:00:45,750 And my name is Prabh Nair. 19 00:00:45,750 --> 00:00:50,130 For more information, you can refer my LinkedIn profile. 20 00:00:50,130 --> 00:00:52,250 So let's start with the first part. 21 00:00:52,250 --> 00:00:52,920 OK. 22 00:00:52,920 --> 00:00:56,450 The first part in this video, in this particular session 23 00:00:56,450 --> 00:01:00,740 or in the Domain 5, we have information asset security 24 00:01:00,740 --> 00:01:03,590 framework standard and guideline. 25 00:01:03,590 --> 00:01:08,100 So when you're talking about industries, many industries, 26 00:01:08,100 --> 00:01:10,050 they basically use standards. 27 00:01:10,050 --> 00:01:13,940 They use frameworks to build some kind 28 00:01:13,940 --> 00:01:17,150 of a controls and governance in the organization. 29 00:01:17,150 --> 00:01:19,850 One example, we have a PCI DSS, which 30 00:01:19,850 --> 00:01:21,860 is used as a standard for all organization 31 00:01:21,860 --> 00:01:25,220 to process the payment cards. 32 00:01:25,220 --> 00:01:27,300 So this is the example of industry standard. 33 00:01:27,300 --> 00:01:29,300 But compliance is not required by the law 34 00:01:29,300 --> 00:01:34,130 because it is just used to achieve the defined objectives. 35 00:01:34,130 --> 00:01:37,290 Then we have some standards are found in many industries, 36 00:01:37,290 --> 00:01:39,830 including a health care, accounting, audits, 37 00:01:39,830 --> 00:01:41,220 and telecommunication. 38 00:01:41,220 --> 00:01:43,650 In some industries, such as electrical power, 39 00:01:43,650 --> 00:01:46,550 regulations require compliance with the standard. 40 00:01:46,550 --> 00:01:49,130 And to meet the requirement of a standard, 41 00:01:49,130 --> 00:01:52,970 framework is often used to describe how the organization 42 00:01:52,970 --> 00:01:54,950 can achieve the compliance. 43 00:01:54,950 --> 00:01:58,230 Let's take an example. 44 00:01:58,230 --> 00:02:00,665 If you talk about one scenario here. 45 00:02:00,665 --> 00:02:04,710 46 00:02:04,710 --> 00:02:08,961 Every organization always start with the strategy. 47 00:02:08,961 --> 00:02:09,919 They create a strategy. 48 00:02:09,919 --> 00:02:12,960 49 00:02:12,960 --> 00:02:16,530 Strategy is called as a long-term plan. 50 00:02:16,530 --> 00:02:21,090 And then that strategy is further 51 00:02:21,090 --> 00:02:23,165 split into the tactical plan. 52 00:02:23,165 --> 00:02:26,820 53 00:02:26,820 --> 00:02:30,095 And then we have a operational plan. 54 00:02:30,095 --> 00:02:36,210 55 00:02:36,210 --> 00:02:38,730 Now when you're talking about this strategy 56 00:02:38,730 --> 00:02:42,840 was created to meet the GDPR requirement. 57 00:02:42,840 --> 00:02:46,230 GDPR is a data privacy regulation EU. 58 00:02:46,230 --> 00:02:52,470 Now I have a company in Kerala and they 59 00:02:52,470 --> 00:02:54,780 need to comply with the GDPR definitely because we 60 00:02:54,780 --> 00:02:56,940 have some employees-- 61 00:02:56,940 --> 00:03:03,060 we have some employees here who are residing in Kerala 62 00:03:03,060 --> 00:03:08,340 and they're trying to access the data, which is based out in EU. 63 00:03:08,340 --> 00:03:11,620 And definitely, if you're trying to access the data of EU, 64 00:03:11,620 --> 00:03:14,190 you need to comply with GDPR. 65 00:03:14,190 --> 00:03:18,100 So that were clear the GDPR we need in the system. 66 00:03:18,100 --> 00:03:23,190 But the question is that, what controls 67 00:03:23,190 --> 00:03:28,410 we required by which we can able to comply with the GDPR? 68 00:03:28,410 --> 00:03:33,630 So first thing what we did we introduced the framework. 69 00:03:33,630 --> 00:03:35,560 In Hindi, it is called dhaancha. 70 00:03:35,560 --> 00:03:40,140 In English, it is called as a structure, which 71 00:03:40,140 --> 00:03:44,680 talk about the necessary practice and procedures, 72 00:03:44,680 --> 00:03:47,230 which required to achieve the define objective. 73 00:03:47,230 --> 00:03:50,730 Here, I want a privacy system by which 74 00:03:50,730 --> 00:03:53,460 I can basically compliance my people process 75 00:03:53,460 --> 00:03:55,330 technology with GDPR. 76 00:03:55,330 --> 00:03:57,910 So I want a privacy management system. 77 00:03:57,910 --> 00:04:02,050 So we found some frameworks for the privacy management systems. 78 00:04:02,050 --> 00:04:06,240 And they basically have a process and practices. 79 00:04:06,240 --> 00:04:08,280 So one of the process in practice 80 00:04:08,280 --> 00:04:10,950 they say that, OK, every system required 81 00:04:10,950 --> 00:04:14,040 to be protected with the password. 82 00:04:14,040 --> 00:04:15,960 So they give me one kind of freedom 83 00:04:15,960 --> 00:04:19,529 that, OK, I want a password in the system. 84 00:04:19,529 --> 00:04:22,290 But now the question is that, should I 85 00:04:22,290 --> 00:04:24,990 go for a specific practice and process, which 86 00:04:24,990 --> 00:04:26,970 is given as per the framework, or should I 87 00:04:26,970 --> 00:04:31,170 go for any kind of a industry standard for a benchmark? 88 00:04:31,170 --> 00:04:35,250 And there, we basically introduce the standard. 89 00:04:35,250 --> 00:04:41,007 Now as per the ISO 27001, they say 90 00:04:41,007 --> 00:04:43,590 that system must be protected with the password with the eight 91 00:04:43,590 --> 00:04:44,290 character. 92 00:04:44,290 --> 00:04:47,970 So this is something is a matrix we introduced. 93 00:04:47,970 --> 00:04:50,010 So that is why we say first we introduce 94 00:04:50,010 --> 00:04:55,080 a framework, which helped me to build the structure. 95 00:04:55,080 --> 00:04:57,280 Same like when you are building a house, 96 00:04:57,280 --> 00:04:58,810 you first design the house. 97 00:04:58,810 --> 00:05:02,230 Here, I need a balcony, here you need a first floor, 98 00:05:02,230 --> 00:05:04,380 here we need a second floor, here we need a third-- 99 00:05:04,380 --> 00:05:04,880 Sorry. 100 00:05:04,880 --> 00:05:07,530 We need a first room, second room, third room, and then 101 00:05:07,530 --> 00:05:10,080 we decide we need a bed in each room. 102 00:05:10,080 --> 00:05:11,680 So this is as per the design. 103 00:05:11,680 --> 00:05:14,400 But what is a standard bed? 104 00:05:14,400 --> 00:05:16,740 What is a standard sofa? 105 00:05:16,740 --> 00:05:19,240 What is a standard door we required? 106 00:05:19,240 --> 00:05:22,030 So we used to say that it should be ISO 9001 107 00:05:22,030 --> 00:05:23,980 or they have their own standard. 108 00:05:23,980 --> 00:05:25,920 So standard was basically introduced 109 00:05:25,920 --> 00:05:27,790 to measure the effectiveness. 110 00:05:27,790 --> 00:05:32,430 Standard was basically introduced to set the benchmark. 111 00:05:32,430 --> 00:05:34,710 So whenever we are building any kind 112 00:05:34,710 --> 00:05:39,730 of a system in the organization, first we adopt the framework. 113 00:05:39,730 --> 00:05:42,370 The framework comes with a practice and procedures. 114 00:05:42,370 --> 00:05:44,820 And to enhance that practice and procedure, 115 00:05:44,820 --> 00:05:46,930 then we can go for the specialization standard. 116 00:05:46,930 --> 00:05:49,660 In this example, I want to comply with GDPR. 117 00:05:49,660 --> 00:05:52,010 I want a privacy system in the organization. 118 00:05:52,010 --> 00:05:54,320 So I adopted one of the privacy framework. 119 00:05:54,320 --> 00:05:55,930 Now, in that privacy framework, one 120 00:05:55,930 --> 00:05:58,520 of the practice and procedure is must have a password. 121 00:05:58,520 --> 00:05:59,690 Now I have a two choice. 122 00:05:59,690 --> 00:06:01,450 I can create my own password, which 123 00:06:01,450 --> 00:06:03,700 can be used because framework can be modified 124 00:06:03,700 --> 00:06:05,870 as per your business objective. 125 00:06:05,870 --> 00:06:09,400 But if you basically adopt the standard because ISO 126 00:06:09,400 --> 00:06:11,900 claim you must have eight character password. 127 00:06:11,900 --> 00:06:13,940 So eight character is a strong password. 128 00:06:13,940 --> 00:06:16,720 And tomorrow, when I claimed in the industry that, 129 00:06:16,720 --> 00:06:21,280 yes, I am a ISO 27001 certified because I am following 130 00:06:21,280 --> 00:06:22,460 their particular standard. 131 00:06:22,460 --> 00:06:25,390 Same like CISA, you are pursuing just 132 00:06:25,390 --> 00:06:27,080 for knowledge that is a framework. 133 00:06:27,080 --> 00:06:30,470 But in CISA, you need to read those stuff also, 134 00:06:30,470 --> 00:06:32,145 which is not relevant to your profile, 135 00:06:32,145 --> 00:06:33,520 but that is required for the exam 136 00:06:33,520 --> 00:06:35,320 because tomorrow you are going to use CISA 137 00:06:35,320 --> 00:06:37,760 as a name standard in your CV. 138 00:06:37,760 --> 00:06:42,140 So that is why in the Domain 5, the most important element, 139 00:06:42,140 --> 00:06:43,606 you need to know the frameworks. 140 00:06:43,606 --> 00:06:46,900 141 00:06:46,900 --> 00:06:50,840 So that is why in the Domain 5, the Domain 5 itself, 142 00:06:50,840 --> 00:06:54,250 starting with the auditing, the information security management 143 00:06:54,250 --> 00:06:57,970 framework and ultimate goal of information security management 144 00:06:57,970 --> 00:07:01,820 framework is to reduce the risk to an acceptable level. 145 00:07:01,820 --> 00:07:04,420 So we have a NIST framework which 146 00:07:04,420 --> 00:07:06,565 talks about the best practice, how 147 00:07:06,565 --> 00:07:09,190 to achieve the cybersecurity, or how to achieve the information 148 00:07:09,190 --> 00:07:10,910 security in the organization. 149 00:07:10,910 --> 00:07:13,230 Let me show you the document, how it look like. 150 00:07:13,230 --> 00:07:15,790 151 00:07:15,790 --> 00:07:19,360 So this is the document we have for the NIST. 152 00:07:19,360 --> 00:07:23,950 If you can see that, they have organized the entire process 153 00:07:23,950 --> 00:07:29,770 into some categories, like identifies where they are 154 00:07:29,770 --> 00:07:31,330 talking about we need a governance, 155 00:07:31,330 --> 00:07:33,130 and what is required in the governance 156 00:07:33,130 --> 00:07:35,510 they talk about these are the practices. 157 00:07:35,510 --> 00:07:38,467 And if you want to set any kind of a benchmark 158 00:07:38,467 --> 00:07:40,300 against something, you need to claim we have 159 00:07:40,300 --> 00:07:43,820 a respective controls also. 160 00:07:43,820 --> 00:07:45,250 So you can see here. 161 00:07:45,250 --> 00:07:47,200 Then if I zoom it-- 162 00:07:47,200 --> 00:07:50,080 now, if I join one company and where 163 00:07:50,080 --> 00:07:53,830 I want the information security as a system I want to introduce. 164 00:07:53,830 --> 00:07:57,710 So I can refer this NIST framework based on my knowledge, 165 00:07:57,710 --> 00:07:59,660 I can go by step by step process. 166 00:07:59,660 --> 00:08:02,930 They say, OK, as per the framework control one, 167 00:08:02,930 --> 00:08:05,120 you must have an asset management. 168 00:08:05,120 --> 00:08:07,630 Now in this case, what is a subcategory, 169 00:08:07,630 --> 00:08:10,210 like physical device and system within the organizations 170 00:08:10,210 --> 00:08:11,350 are inventoried. 171 00:08:11,350 --> 00:08:13,720 Software platforms and applications 172 00:08:13,720 --> 00:08:16,220 within the organizations are inventoried. 173 00:08:16,220 --> 00:08:19,460 Organization communications and data flows are mapped. 174 00:08:19,460 --> 00:08:22,040 External information systems are cataloged. 175 00:08:22,040 --> 00:08:25,640 Resources are prioritized based on the classification 176 00:08:25,640 --> 00:08:29,440 criticality and business value, and cyber security roles 177 00:08:29,440 --> 00:08:32,110 and responsibility for entire workforce in third party 178 00:08:32,110 --> 00:08:32,929 establish. 179 00:08:32,929 --> 00:08:36,919 Now they have a specific controls for that in detail. 180 00:08:36,919 --> 00:08:38,990 So for that, we can refer the standard. 181 00:08:38,990 --> 00:08:41,600 So standard was introduced to measure the effectiveness. 182 00:08:41,600 --> 00:08:44,080 So this is how we can basically adopt 183 00:08:44,080 --> 00:08:48,220 any framework I can basically scope as per my business 184 00:08:48,220 --> 00:08:49,960 requirement by which I can eliminate 185 00:08:49,960 --> 00:08:52,490 the need for implementing this entire framework 186 00:08:52,490 --> 00:08:55,400 and tailor it as per my business choice. 187 00:08:55,400 --> 00:08:58,780 So this is what we called as a information security framework 188 00:08:58,780 --> 00:09:01,180 or cyber security framework. 189 00:09:01,180 --> 00:09:05,620 Now coming back, so in Domain 5, the first part 190 00:09:05,620 --> 00:09:09,340 we talk about audit the information security management 191 00:09:09,340 --> 00:09:12,970 framework so you can adopt any kind of a benchmark, which 192 00:09:12,970 --> 00:09:15,620 is approved benchmark from the organization. 193 00:09:15,620 --> 00:09:17,240 And based on that, you can assess. 194 00:09:17,240 --> 00:09:19,570 See, when we're talking about any governance, 195 00:09:19,570 --> 00:09:22,340 policy is the foundation for any governance. 196 00:09:22,340 --> 00:09:23,470 What is governance like? 197 00:09:23,470 --> 00:09:25,490 In order to manage kids at home. 198 00:09:25,490 --> 00:09:26,860 That is your governance. 199 00:09:26,860 --> 00:09:29,660 Manage country, run country's operation. 200 00:09:29,660 --> 00:09:30,770 That is a governance. 201 00:09:30,770 --> 00:09:33,520 So governance is a-- governance is 202 00:09:33,520 --> 00:09:36,250 an important part of the organization and policy is 203 00:09:36,250 --> 00:09:38,540 the foundation of governance. 204 00:09:38,540 --> 00:09:42,740 If I say policy, policy is the management statement. 205 00:09:42,740 --> 00:09:45,270 Policy is the management intent. 206 00:09:45,270 --> 00:09:47,760 Anything they want to enforce in the organization, 207 00:09:47,760 --> 00:09:49,410 they create a policy for that. 208 00:09:49,410 --> 00:09:53,070 Example like every system must be protected with the password. 209 00:09:53,070 --> 00:09:54,120 So it's a policy. 210 00:09:54,120 --> 00:09:56,490 Password must be eight character. 211 00:09:56,490 --> 00:09:58,140 Now we introduce as a standard. 212 00:09:58,140 --> 00:10:01,190 Standard is a tool by which we enforce the policy. 213 00:10:01,190 --> 00:10:05,910 And how to create step by step eight character password. 214 00:10:05,910 --> 00:10:07,250 That is a written procedure. 215 00:10:07,250 --> 00:10:09,720 Procedure always in detail in nature. 216 00:10:09,720 --> 00:10:12,420 So policy is strategic in nature, 217 00:10:12,420 --> 00:10:16,820 standard is tactical in nature, and procedure is basically 218 00:10:16,820 --> 00:10:18,360 operational in nature. 219 00:10:18,360 --> 00:10:22,010 We create a detailed procedure which is easy for people 220 00:10:22,010 --> 00:10:24,320 to understand. 221 00:10:24,320 --> 00:10:29,070 Now next thing is called as a security awareness and training. 222 00:10:29,070 --> 00:10:30,950 Now let me explain the different-- thin line 223 00:10:30,950 --> 00:10:35,060 difference between the awareness, training, 224 00:10:35,060 --> 00:10:36,560 and education. 225 00:10:36,560 --> 00:10:38,760 Awareness is a short term. 226 00:10:38,760 --> 00:10:41,720 I was in an impression that, OK, eight character password 227 00:10:41,720 --> 00:10:42,870 is a secure password. 228 00:10:42,870 --> 00:10:46,320 So I was using a 12345678. 229 00:10:46,320 --> 00:10:49,160 But when I attended any awareness workshop which 230 00:10:49,160 --> 00:10:52,790 modify my behavior and now I get to know eight character 231 00:10:52,790 --> 00:10:54,920 should not be only numeric. 232 00:10:54,920 --> 00:10:58,140 OK, so I start using a alphanumeric and spatial. 233 00:10:58,140 --> 00:11:00,840 So that's something modify my behavior. 234 00:11:00,840 --> 00:11:03,590 The question is that how to measure the effectiveness 235 00:11:03,590 --> 00:11:05,360 of the awareness training. 236 00:11:05,360 --> 00:11:06,980 By reviewing the number of people 237 00:11:06,980 --> 00:11:08,790 participated in the awareness program? 238 00:11:08,790 --> 00:11:10,130 No. 239 00:11:10,130 --> 00:11:13,160 As an auditor, I can able to evaluate 240 00:11:13,160 --> 00:11:17,270 the effectiveness of awareness training 241 00:11:17,270 --> 00:11:21,350 is by seeing the number of incidents reported. 242 00:11:21,350 --> 00:11:23,060 Let's take an example. 243 00:11:23,060 --> 00:11:26,390 Last week, we have conducted the awareness workshop. 244 00:11:26,390 --> 00:11:31,340 And at that time, we had 70 incidents was reported. 245 00:11:31,340 --> 00:11:34,590 And this week, 140 incidents has been reported. 246 00:11:34,590 --> 00:11:38,250 It means people are now more aware about the incidents. 247 00:11:38,250 --> 00:11:40,860 So always remember the way-- in order 248 00:11:40,860 --> 00:11:42,960 to measure the effectiveness of awareness training 249 00:11:42,960 --> 00:11:45,330 is increase in the incident reports 250 00:11:45,330 --> 00:11:48,070 and decrease in a security violation. 251 00:11:48,070 --> 00:11:50,250 So awareness modify the behavior. 252 00:11:50,250 --> 00:11:53,490 Training modify the skill, and education modify your career. 253 00:11:53,490 --> 00:11:55,822 Like doing a CISA training, serious training. 254 00:11:55,822 --> 00:11:57,780 See some training is a part of a training which 255 00:11:57,780 --> 00:11:59,080 modify your skills. 256 00:11:59,080 --> 00:12:01,650 But annually you are attending any college program 257 00:12:01,650 --> 00:12:03,370 that is called as an education. 258 00:12:03,370 --> 00:12:06,180 Another important thing that you must be familiar 259 00:12:06,180 --> 00:12:10,440 with that, which is called as a data ownership. 260 00:12:10,440 --> 00:12:11,950 Data ownership. 261 00:12:11,950 --> 00:12:14,370 So data ownership is another important thing we have 262 00:12:14,370 --> 00:12:16,050 that you must be aware about. 263 00:12:16,050 --> 00:12:18,120 In data ownership, like data owner 264 00:12:18,120 --> 00:12:21,160 is the one who ultimately accountable for the data. 265 00:12:21,160 --> 00:12:23,520 So whenever you classifying any data, 266 00:12:23,520 --> 00:12:25,530 you basically speak to the data owner 267 00:12:25,530 --> 00:12:29,100 only, because data owners are best positioned to tell you 268 00:12:29,100 --> 00:12:30,140 the value of the data. 269 00:12:30,140 --> 00:12:33,540 270 00:12:33,540 --> 00:12:37,410 The next important thing is called as a-- 271 00:12:37,410 --> 00:12:39,430 yeah, can we transfer the data ownership? 272 00:12:39,430 --> 00:12:42,282 No, you can't transfer the data ownership. 273 00:12:42,282 --> 00:12:44,730 So on behalf of data owner who manage 274 00:12:44,730 --> 00:12:47,220 the data is the data custodian because he 275 00:12:47,220 --> 00:12:50,250 is responsible for storing and safeguarding the data. 276 00:12:50,250 --> 00:12:52,633 OK, like system analyst, computer operator, 277 00:12:52,633 --> 00:12:55,300 database operator, they are the ones who are the data custodian. 278 00:12:55,300 --> 00:12:56,910 Let's take an example. 279 00:12:56,910 --> 00:12:58,210 I am the business owner. 280 00:12:58,210 --> 00:12:59,470 I produce one data. 281 00:12:59,470 --> 00:13:01,450 I bring more data in the organization. 282 00:13:01,450 --> 00:13:04,350 Now I have a IM team, I have a database team 283 00:13:04,350 --> 00:13:07,030 who manage the data on behalf of me. 284 00:13:07,030 --> 00:13:08,380 I will say, hey, Eric. 285 00:13:08,380 --> 00:13:09,550 Please maintain my data. 286 00:13:09,550 --> 00:13:13,330 So here the Eric will maintain the protection of the data, 287 00:13:13,330 --> 00:13:15,250 but he will follow all my guidelines 288 00:13:15,250 --> 00:13:17,155 according to that only he protect the data. 289 00:13:17,155 --> 00:13:18,780 I will clearly tell him, see, this data 290 00:13:18,780 --> 00:13:21,010 is basically based on EU customer 291 00:13:21,010 --> 00:13:23,050 so make sure you should protect effectively. 292 00:13:23,050 --> 00:13:25,260 So here I am a data owner who instruct him 293 00:13:25,260 --> 00:13:26,650 that this is the EU data. 294 00:13:26,650 --> 00:13:29,770 If something goes wrong, he going to question me 295 00:13:29,770 --> 00:13:32,440 and it is a difficult-- it is difficult for me to answer. 296 00:13:32,440 --> 00:13:35,250 So here, the database administrator, 297 00:13:35,250 --> 00:13:38,310 based on my guidance, going to protect the data. 298 00:13:38,310 --> 00:13:42,390 So data owner one is the one who value the data, 299 00:13:42,390 --> 00:13:43,946 and data custodian-- 300 00:13:43,946 --> 00:13:47,220 301 00:13:47,220 --> 00:13:52,210 data custodian manage the data on behalf of data owner. 302 00:13:52,210 --> 00:13:55,990 The third is basically called as a security administrator. 303 00:13:55,990 --> 00:13:58,230 Security administrator is another important position 304 00:13:58,230 --> 00:13:58,870 we have. 305 00:13:58,870 --> 00:14:02,160 He is responsible for providing an adequate physical and logical 306 00:14:02,160 --> 00:14:04,900 security for the information system, 307 00:14:04,900 --> 00:14:08,020 and also providing a security to the data and equipments. 308 00:14:08,020 --> 00:14:11,680 So his role is more like a implementer kind of thing. 309 00:14:11,680 --> 00:14:13,560 Example, firewall administrator. 310 00:14:13,560 --> 00:14:14,170 OK. 311 00:14:14,170 --> 00:14:17,170 VAPT guys, control implementer. 312 00:14:17,170 --> 00:14:20,110 These are basically called as security administrators. 313 00:14:20,110 --> 00:14:23,070 Then we have a new IT users, the one who basically 314 00:14:23,070 --> 00:14:24,250 join the organization. 315 00:14:24,250 --> 00:14:27,790 Make sure they should read and agree to the security policies, 316 00:14:27,790 --> 00:14:30,040 keep login ID and password secret, 317 00:14:30,040 --> 00:14:31,950 create the quality password, lock all 318 00:14:31,950 --> 00:14:34,200 the terminals for the IT users. 319 00:14:34,200 --> 00:14:36,090 Next is we have a data users. 320 00:14:36,090 --> 00:14:38,100 Data user example like the IT users 321 00:14:38,100 --> 00:14:41,020 who are creating a data it is accessed by the data user only. 322 00:14:41,020 --> 00:14:43,210 I have a team who create a data. 323 00:14:43,210 --> 00:14:46,810 OK, now you are basically the one who review this data. 324 00:14:46,810 --> 00:14:48,280 So you are the data user. 325 00:14:48,280 --> 00:14:50,550 So the responsibility regarding a security 326 00:14:50,550 --> 00:14:52,590 and to be vigilant regarding the monitoring 327 00:14:52,590 --> 00:14:54,930 of the unauthorized people in the work areas 328 00:14:54,930 --> 00:14:57,450 and comply with the general security guidelines 329 00:14:57,450 --> 00:14:58,630 and policies. 330 00:14:58,630 --> 00:15:02,250 So data users include the external and internal user 331 00:15:02,250 --> 00:15:03,310 communities. 332 00:15:03,310 --> 00:15:05,980 Next, we have a documented authorization. 333 00:15:05,980 --> 00:15:08,400 So data access should be identified and authorized 334 00:15:08,400 --> 00:15:09,220 in a writing. 335 00:15:09,220 --> 00:15:11,550 So as an IS auditor, you should review 336 00:15:11,550 --> 00:15:13,740 a sample of the authorization to determine 337 00:15:13,740 --> 00:15:16,330 if the proper level of written authority was provided. 338 00:15:16,330 --> 00:15:18,010 Example, I am an auditor. 339 00:15:18,010 --> 00:15:19,200 I am going for an audit. 340 00:15:19,200 --> 00:15:21,992 As per the audit, for this kind of a permissions, 341 00:15:21,992 --> 00:15:23,950 we need an approval from the senior management. 342 00:15:23,950 --> 00:15:26,370 So we will ask for the sample of an email which 343 00:15:26,370 --> 00:15:27,960 can confirm that you are authorized 344 00:15:27,960 --> 00:15:29,130 to access the document. 345 00:15:29,130 --> 00:15:32,400 And the similar pattern you can get in a CISA exam also. 346 00:15:32,400 --> 00:15:33,940 Like you are an auditor. 347 00:15:33,940 --> 00:15:37,080 You have discovered that some access has been attempted 348 00:15:37,080 --> 00:15:38,950 to access specific files. 349 00:15:38,950 --> 00:15:40,073 Now how to verify. 350 00:15:40,073 --> 00:15:40,990 What is the next step? 351 00:15:40,990 --> 00:15:43,540 The next step is we will request for those exceptions. 352 00:15:43,540 --> 00:15:45,300 We request for the email exchange 353 00:15:45,300 --> 00:15:47,310 which say that, OK, you're authorized to access 354 00:15:47,310 --> 00:15:48,900 that particular documents. 355 00:15:48,900 --> 00:15:52,560 Next important thing we call that the terminated employee 356 00:15:52,560 --> 00:15:53,380 access. 357 00:15:53,380 --> 00:15:56,170 See, whenever any employee leave the organization, 358 00:15:56,170 --> 00:15:58,000 we don't delete his account. 359 00:15:58,000 --> 00:15:59,320 We disable the account. 360 00:15:59,320 --> 00:16:01,930 The first step is notify all the Department 361 00:16:01,930 --> 00:16:04,330 and the second step is revoke his access. 362 00:16:04,330 --> 00:16:05,910 But the question talking about what 363 00:16:05,910 --> 00:16:09,720 is the best action that we have to take against the terminated 364 00:16:09,720 --> 00:16:13,380 employee, the thing is that revoke his access. 365 00:16:13,380 --> 00:16:16,890 Termination is two-type: voluntary and involuntary. 366 00:16:16,890 --> 00:16:19,810 Voluntary termination when employee resign, 367 00:16:19,810 --> 00:16:23,770 and involuntary termination when company say ask to leave. 368 00:16:23,770 --> 00:16:26,670 But during this process, during a termination process, 369 00:16:26,670 --> 00:16:31,210 IS auditor need to review that any terminated employer is 370 00:16:31,210 --> 00:16:33,520 having access to the system, and that is also 371 00:16:33,520 --> 00:16:34,880 one of the biggest concern. 372 00:16:34,880 --> 00:16:37,750 If terminated employee already left the organization 373 00:16:37,750 --> 00:16:40,170 and he still has access to the organization, 374 00:16:40,170 --> 00:16:41,420 then it's the biggest concern. 375 00:16:41,420 --> 00:16:43,210 So from an exam point of view, remember 376 00:16:43,210 --> 00:16:45,500 this is one of the biggest concern we have. 377 00:16:45,500 --> 00:16:49,510 Whenever we implementing any kind of a control, security 378 00:16:49,510 --> 00:16:51,760 baseline we have to follow. 379 00:16:51,760 --> 00:16:52,850 What is baseline? 380 00:16:52,850 --> 00:16:54,520 Baseline is a minimum level of security 381 00:16:54,520 --> 00:16:56,630 that we need to follow in the system. 382 00:16:56,630 --> 00:16:58,760 Let me explain you with the reference. 383 00:16:58,760 --> 00:17:01,750 Now I want a baseline for my organization. 384 00:17:01,750 --> 00:17:02,570 OK. 385 00:17:02,570 --> 00:17:04,930 So I want a baseline in-- 386 00:17:04,930 --> 00:17:11,740 So like-- example like-- 387 00:17:11,740 --> 00:17:15,130 I want a baseline for my system so-- 388 00:17:15,130 --> 00:17:17,349 for my systems. 389 00:17:17,349 --> 00:17:20,020 Baseline mean minimum security. 390 00:17:20,020 --> 00:17:22,930 I want a baseline like password. 391 00:17:22,930 --> 00:17:25,400 I want a baseline antivirus. 392 00:17:25,400 --> 00:17:28,720 And I want a baseline called as a security solution. 393 00:17:28,720 --> 00:17:29,540 OK. 394 00:17:29,540 --> 00:17:32,920 So this is basically the baseline one, 395 00:17:32,920 --> 00:17:35,240 baseline two, baseline three. 396 00:17:35,240 --> 00:17:38,420 So example, we have a system 1, system 2, and system 3. 397 00:17:38,420 --> 00:17:40,090 So in a system 1, password we require. 398 00:17:40,090 --> 00:17:42,610 That is a minimum thing we need in the organization 399 00:17:42,610 --> 00:17:43,990 in the system. 400 00:17:43,990 --> 00:17:45,950 Now, question is password is required. 401 00:17:45,950 --> 00:17:46,930 I agree. 402 00:17:46,930 --> 00:17:49,450 Now here I can refer a standard. 403 00:17:49,450 --> 00:17:50,270 OK. 404 00:17:50,270 --> 00:17:51,760 Can we go for the eight character? 405 00:17:51,760 --> 00:17:52,260 Yes. 406 00:17:52,260 --> 00:17:54,530 And then we decide the procedure. 407 00:17:54,530 --> 00:17:57,910 So if you notice, I started with the baseline of the system, 408 00:17:57,910 --> 00:17:59,200 like I want a password. 409 00:17:59,200 --> 00:18:02,170 Is a minimum I need a password in any system. 410 00:18:02,170 --> 00:18:05,890 I want antivirus and I want for the system security. 411 00:18:05,890 --> 00:18:07,580 Now with the reference of password, 412 00:18:07,580 --> 00:18:11,470 I decided I will use eight character as a minimum password 413 00:18:11,470 --> 00:18:12,380 in the system. 414 00:18:12,380 --> 00:18:14,890 And then I will create a detailed procedure 415 00:18:14,890 --> 00:18:15,890 how to do that. 416 00:18:15,890 --> 00:18:18,790 So baseline come with the standard and procedure 417 00:18:18,790 --> 00:18:21,910 policy come with the standard and procedure. 418 00:18:21,910 --> 00:18:24,620 So you must be familiar with the security baseline. 419 00:18:24,620 --> 00:18:26,690 And whenever you conducting an audit, 420 00:18:26,690 --> 00:18:28,220 you can adopt the baseline. 421 00:18:28,220 --> 00:18:29,890 As per that, you can able to conduct 422 00:18:29,890 --> 00:18:31,450 the audit in the organization. 423 00:18:31,450 --> 00:18:36,220 And any kind of a deviation you identified from what is agreed 424 00:18:36,220 --> 00:18:39,070 and what is there, you can document that as a finding. 425 00:18:39,070 --> 00:18:42,040 So what is the best practice we follow? 426 00:18:42,040 --> 00:18:46,120 So standard for security may be defined at a generic level, 427 00:18:46,120 --> 00:18:50,680 then for a specific machines, or for a specific application 428 00:18:50,680 --> 00:18:52,450 system. 429 00:18:52,450 --> 00:18:55,510 So let's move to the next part. 430 00:18:55,510 --> 00:18:59,830 Next section is a very important section in Domain 5, privacy. 431 00:18:59,830 --> 00:19:02,110 First of all, let me explain you the difference 432 00:19:02,110 --> 00:19:08,950 between the privacy and secrecy. 433 00:19:08,950 --> 00:19:15,005 Privacy deal with the individual and secrecy 434 00:19:15,005 --> 00:19:16,130 deal with the organization. 435 00:19:16,130 --> 00:19:17,547 That's why in the organization you 436 00:19:17,547 --> 00:19:20,260 have seen the top secret, secret, and all that. 437 00:19:20,260 --> 00:19:22,100 See, when the law was introduced, 438 00:19:22,100 --> 00:19:25,540 law introduced to protect the interest of the people. 439 00:19:25,540 --> 00:19:28,840 Now in different, different business sectors, 440 00:19:28,840 --> 00:19:30,710 we have different industries. 441 00:19:30,710 --> 00:19:36,640 Example, in India, we have a food, we have a insurance, 442 00:19:36,640 --> 00:19:38,920 we have a bank. 443 00:19:38,920 --> 00:19:42,380 Now, if you want to start any kind of a insurance business, 444 00:19:42,380 --> 00:19:44,360 I need to comply with the IRDA. 445 00:19:44,360 --> 00:19:45,080 So what is this? 446 00:19:45,080 --> 00:19:45,950 This is the agency. 447 00:19:45,950 --> 00:19:48,010 This is the regulation authority. 448 00:19:48,010 --> 00:19:49,840 And similar thing, if I want to start 449 00:19:49,840 --> 00:19:51,790 any kind of a food services, I need 450 00:19:51,790 --> 00:19:54,820 to be comply with the FSSAI. 451 00:19:54,820 --> 00:19:57,790 So regulation authorities are basically 452 00:19:57,790 --> 00:20:01,360 introduced in every country to control a respective industries 453 00:20:01,360 --> 00:20:04,450 and to make sure that business should be comply under the law 454 00:20:04,450 --> 00:20:05,020 parameter. 455 00:20:05,020 --> 00:20:06,170 Compliance is nothing. 456 00:20:06,170 --> 00:20:08,860 It is all about act of abiding. 457 00:20:08,860 --> 00:20:12,340 So privacy is the utmost priority 458 00:20:12,340 --> 00:20:14,920 in every organization because directly 459 00:20:14,920 --> 00:20:16,990 map with the individual. 460 00:20:16,990 --> 00:20:21,470 So privacy significant aspect for the IS auditor 461 00:20:21,470 --> 00:20:23,900 also, especially in the light of the global regulations, 462 00:20:23,900 --> 00:20:25,560 such as GDPR. 463 00:20:25,560 --> 00:20:29,010 GDPR basically is a national privacy regulation of EU, 464 00:20:29,010 --> 00:20:32,550 but US does not have a national privacy regulation. 465 00:20:32,550 --> 00:20:34,010 They have an industry-specific. 466 00:20:34,010 --> 00:20:36,780 Example, they have a-- for the health sector, 467 00:20:36,780 --> 00:20:37,550 they have a HIPAA. 468 00:20:37,550 --> 00:20:40,385 For the finance, they have a GLBA. 469 00:20:40,385 --> 00:20:42,500 So this kind of regulations we have. 470 00:20:42,500 --> 00:20:46,850 So to understand what is the level of privacy we need 471 00:20:46,850 --> 00:20:50,420 in the organization or what is the level of privacy control 472 00:20:50,420 --> 00:20:54,500 we need in the systems, we perform the PIA, privacy impact 473 00:20:54,500 --> 00:20:55,110 assessment. 474 00:20:55,110 --> 00:20:58,760 And based on that, we implement the privacy management system 475 00:20:58,760 --> 00:21:00,030 in the organization. 476 00:21:00,030 --> 00:21:01,560 So what is a good practice? 477 00:21:01,560 --> 00:21:04,400 So if I say my organization-- 478 00:21:04,400 --> 00:21:06,290 OK, if I say my organization need 479 00:21:06,290 --> 00:21:09,590 to be comply with GDPR, example. 480 00:21:09,590 --> 00:21:11,880 So I need to comply with the GDPR. 481 00:21:11,880 --> 00:21:15,120 So what I need to do first is I need to create a policy. 482 00:21:15,120 --> 00:21:18,360 So by the policy, I can comply my people, process, 483 00:21:18,360 --> 00:21:20,790 and technology to be with the GDPR. 484 00:21:20,790 --> 00:21:21,290 How? 485 00:21:21,290 --> 00:21:24,960 See, I cannot go to each and every individual and process, 486 00:21:24,960 --> 00:21:28,280 and technology and explain about the GDPR articles. 487 00:21:28,280 --> 00:21:31,920 So what we did, we include the GDPR information. 488 00:21:31,920 --> 00:21:33,740 So we translate the GDPR information 489 00:21:33,740 --> 00:21:35,760 as an intent in the policies. 490 00:21:35,760 --> 00:21:38,760 And then I enforce the policy in the organization. 491 00:21:38,760 --> 00:21:41,700 So where people process technology need to be comply. 492 00:21:41,700 --> 00:21:44,960 So by comply with the privacy, you automatically 493 00:21:44,960 --> 00:21:46,500 comply with the GDPR. 494 00:21:46,500 --> 00:21:49,970 So this is how you can able to bring the privacy best practices 495 00:21:49,970 --> 00:21:52,050 uniformity in the organization. 496 00:21:52,050 --> 00:21:53,570 That's why we say policy is the best 497 00:21:53,570 --> 00:21:56,640 tool to be compliant with any regulatory requirement. 498 00:21:56,640 --> 00:21:58,820 And that is why senior management intentions 499 00:21:58,820 --> 00:22:01,170 comes in the policy only. 500 00:22:01,170 --> 00:22:05,760 So privacy has some good practices that must be follow, 501 00:22:05,760 --> 00:22:08,330 like private data should be collected fairly 502 00:22:08,330 --> 00:22:09,990 in a open, transparent manner. 503 00:22:09,990 --> 00:22:14,510 So if I say this organization is following the effective privacy 504 00:22:14,510 --> 00:22:17,160 practice or they have a good privacy practice, 505 00:22:17,160 --> 00:22:20,000 how to check that is they collect the data fairly, 506 00:22:20,000 --> 00:22:21,210 open, transparent manner. 507 00:22:21,210 --> 00:22:23,180 Example you visit one website which 508 00:22:23,180 --> 00:22:25,350 say how are they going to use the data. 509 00:22:25,350 --> 00:22:28,670 They are going to explain about how they are basically 510 00:22:28,670 --> 00:22:29,520 managing data. 511 00:22:29,520 --> 00:22:32,030 So that shows their privacy best practice. 512 00:22:32,030 --> 00:22:35,750 And private data or privacy data should be kept securely 513 00:22:35,750 --> 00:22:37,550 throughout the lifecycle, from the creation 514 00:22:37,550 --> 00:22:39,180 phase to the destruction. 515 00:22:39,180 --> 00:22:40,940 And the third most important thing 516 00:22:40,940 --> 00:22:43,350 is that your private data should be accurate, 517 00:22:43,350 --> 00:22:47,310 it should be complete, and it should be up to date. 518 00:22:47,310 --> 00:22:49,440 OK, so to best meet this challenge, 519 00:22:49,440 --> 00:22:50,930 management should perform the PIA, 520 00:22:50,930 --> 00:22:54,000 and IS auditor can ask for the last review report. 521 00:22:54,000 --> 00:22:57,080 This is how as an auditor can able to validate 522 00:22:57,080 --> 00:23:02,210 as the company is compliance with any privacy practices. 523 00:23:02,210 --> 00:23:06,840 With the continuation of the previous series, 524 00:23:06,840 --> 00:23:09,745 so this is the second part of the Domain 5. 525 00:23:09,745 --> 00:23:11,120 And in this section, we are going 526 00:23:11,120 --> 00:23:16,040 to discuss about physical access and environmental control. 527 00:23:16,040 --> 00:23:17,750 Physical access environmental control 528 00:23:17,750 --> 00:23:20,500 is another important topic we have in our Domain 5, 529 00:23:20,500 --> 00:23:23,040 and it is a bit difficult for the people who 530 00:23:23,040 --> 00:23:25,050 are from a non-IT background. 531 00:23:25,050 --> 00:23:28,450 So as an IS auditor, you need to evaluate these controls. 532 00:23:28,450 --> 00:23:30,540 And in many organizations, these controls 533 00:23:30,540 --> 00:23:33,190 are designed and implemented by the facility management, 534 00:23:33,190 --> 00:23:36,690 not by the information security manager IT. 535 00:23:36,690 --> 00:23:39,360 One example I can give you about the physical access 536 00:23:39,360 --> 00:23:42,640 and environmental control is HVAC system, heat, ventilation, 537 00:23:42,640 --> 00:23:45,362 air conditioning. 538 00:23:45,362 --> 00:23:47,650 You have seen the AC in your facilities. 539 00:23:47,650 --> 00:23:50,740 It is control from a system. 540 00:23:50,740 --> 00:23:53,100 We have a AC in the data center also, 541 00:23:53,100 --> 00:23:55,950 cooling system in the data center, which 542 00:23:55,950 --> 00:23:58,980 is used to maintain the optimum temperature by which we can 543 00:23:58,980 --> 00:24:02,010 able to maintain the performance of the hardware 544 00:24:02,010 --> 00:24:03,900 because excessive heating of the hardware 545 00:24:03,900 --> 00:24:05,380 will impact the performance. 546 00:24:05,380 --> 00:24:07,570 So what controls we required? 547 00:24:07,570 --> 00:24:09,730 OK, that we need to understand here. 548 00:24:09,730 --> 00:24:11,670 As an auditor, I will first obtain 549 00:24:11,670 --> 00:24:13,720 the approved list of controls. 550 00:24:13,720 --> 00:24:16,862 And then I will assess the existing control based 551 00:24:16,862 --> 00:24:18,070 on that particular parameter. 552 00:24:18,070 --> 00:24:20,390 And any kind of a gap we identify, 553 00:24:20,390 --> 00:24:22,760 we will document that as a finding. 554 00:24:22,760 --> 00:24:25,600 So in this, when you're talking about the generic controls, 555 00:24:25,600 --> 00:24:27,530 we have a three type of controls. 556 00:24:27,530 --> 00:24:29,690 One is called as a managerial control. 557 00:24:29,690 --> 00:24:32,420 It is also called as an administrative control. 558 00:24:32,420 --> 00:24:35,570 Then we have a technical, then we have a physical control. 559 00:24:35,570 --> 00:24:40,430 Managerial control is more like a direction, more like a order. 560 00:24:40,430 --> 00:24:42,820 Example like post-COVID, the company 561 00:24:42,820 --> 00:24:48,850 has announced that you have to join office from January 562 00:24:48,850 --> 00:24:52,760 and everyone must come with their vaccination certificate. 563 00:24:52,760 --> 00:24:54,760 So this is a kind of an order, which 564 00:24:54,760 --> 00:24:57,110 is used to control the behavior of the people. 565 00:24:57,110 --> 00:24:58,720 Now people know that, OK, we need 566 00:24:58,720 --> 00:25:01,070 to have that COVID vaccination certificate. 567 00:25:01,070 --> 00:25:03,440 Then only we can able to come to the facility. 568 00:25:03,440 --> 00:25:07,450 So it is like a control to monitor and improve 569 00:25:07,450 --> 00:25:08,750 the behavior of the people. 570 00:25:08,750 --> 00:25:11,110 One more example of an administrative control 571 00:25:11,110 --> 00:25:14,420 is without vaccination certificate, 572 00:25:14,420 --> 00:25:15,847 no one is entered into the office. 573 00:25:15,847 --> 00:25:17,680 No one is supposed to enter into the office. 574 00:25:17,680 --> 00:25:19,240 So it's a company announcement. 575 00:25:19,240 --> 00:25:21,840 So it is more like a managerial control. 576 00:25:21,840 --> 00:25:23,903 Second, we have a technical control. 577 00:25:23,903 --> 00:25:25,320 The technical control is something 578 00:25:25,320 --> 00:25:27,020 which is technical in nature. 579 00:25:27,020 --> 00:25:28,330 Example, firewall. 580 00:25:28,330 --> 00:25:33,370 Now it's not something you pick every packet and inspect. 581 00:25:33,370 --> 00:25:33,910 No, right? 582 00:25:33,910 --> 00:25:37,690 So there is a tool involved in which we have created a rules. 583 00:25:37,690 --> 00:25:40,410 And based on the rule, the tool will capture and block 584 00:25:40,410 --> 00:25:40,960 the packet. 585 00:25:40,960 --> 00:25:42,690 So there is a technical control there. 586 00:25:42,690 --> 00:25:46,420 Function is involved to block or detect the attacks. 587 00:25:46,420 --> 00:25:47,770 Then we have a physical control. 588 00:25:47,770 --> 00:25:49,860 Physical control is like a physical lock. 589 00:25:49,860 --> 00:25:50,410 OK. 590 00:25:50,410 --> 00:25:53,620 Placement of a security guard which try to block physically. 591 00:25:53,620 --> 00:25:55,943 So we have a three type of controls. 592 00:25:55,943 --> 00:25:57,610 See, when you're talking about controls, 593 00:25:57,610 --> 00:26:00,300 control may be proactive, which means 594 00:26:00,300 --> 00:26:02,890 they can attempt to prevent an incident, 595 00:26:02,890 --> 00:26:05,430 and it can be reactive, which allow 596 00:26:05,430 --> 00:26:09,340 the detection, containment, and recovery from an incident. 597 00:26:09,340 --> 00:26:15,180 So proactive control are called as a safeguard and reactive 598 00:26:15,180 --> 00:26:17,860 control are called as a countermeasures. 599 00:26:17,860 --> 00:26:21,070 600 00:26:21,070 --> 00:26:21,570 Sorry. 601 00:26:21,570 --> 00:26:30,510 602 00:26:30,510 --> 00:26:31,060 OK. 603 00:26:31,060 --> 00:26:35,250 So that is basically called as a countermeasure. 604 00:26:35,250 --> 00:26:37,590 So we have two type of controls. 605 00:26:37,590 --> 00:26:40,470 Example like before going-- 606 00:26:40,470 --> 00:26:43,000 protect from COVID and all that we have vaccinations. 607 00:26:43,000 --> 00:26:45,760 So that is basically called as a proactive control. 608 00:26:45,760 --> 00:26:48,630 But if vaccination become ineffective, 609 00:26:48,630 --> 00:26:52,410 you got impacted with the COVID, the reactive control 610 00:26:52,410 --> 00:26:53,970 is isolate yourself from the family 611 00:26:53,970 --> 00:26:57,160 and then you can go for the 14 days period of containment. 612 00:26:57,160 --> 00:27:00,960 So this is how we have a proactive and reactive. 613 00:27:00,960 --> 00:27:03,510 So next point is called as a control monitoring 614 00:27:03,510 --> 00:27:04,420 and effectiveness. 615 00:27:04,420 --> 00:27:06,810 Just implementing a control will not 616 00:27:06,810 --> 00:27:08,440 achieve the defined objectives. 617 00:27:08,440 --> 00:27:10,800 We need to also need to check whether control 618 00:27:10,800 --> 00:27:11,970 is working effectively. 619 00:27:11,970 --> 00:27:14,750 It is same like we just hire the security guard 620 00:27:14,750 --> 00:27:17,700 and now we trust that guard that he going to block everyone. 621 00:27:17,700 --> 00:27:18,260 No. 622 00:27:18,260 --> 00:27:22,010 We also see how effectively he responding to all the threats 623 00:27:22,010 --> 00:27:22,710 and everything. 624 00:27:22,710 --> 00:27:24,800 Same like when we configure the firewall 625 00:27:24,800 --> 00:27:26,730 and simply creating a rules in the firewall 626 00:27:26,730 --> 00:27:27,980 it doesn't meet my objectives. 627 00:27:27,980 --> 00:27:30,530 On a regular basis, we need to test the firewalls 628 00:27:30,530 --> 00:27:33,020 by sending a malformed packets and see whether it 629 00:27:33,020 --> 00:27:34,860 can able to detect and block. 630 00:27:34,860 --> 00:27:38,370 So as a controller design implemented and operated, 631 00:27:38,370 --> 00:27:41,600 IS auditor should ensure the logs are enabled because that 632 00:27:41,600 --> 00:27:46,062 is how you can able to track the effectiveness of the controls. 633 00:27:46,062 --> 00:27:48,020 And we also need to ensure as an auditor 634 00:27:48,020 --> 00:27:51,180 we need to ensure they are testing on a regular basis. 635 00:27:51,180 --> 00:27:51,720 OK. 636 00:27:51,720 --> 00:27:53,845 And the procedure should be developed by which they 637 00:27:53,845 --> 00:27:55,110 can able to test effectively. 638 00:27:55,110 --> 00:27:57,410 And as an IS auditor should also ensure 639 00:27:57,410 --> 00:27:59,960 they should have a capability to monitor the controls 640 00:27:59,960 --> 00:28:03,213 and support the monitoring system in the control design. 641 00:28:03,213 --> 00:28:06,920 642 00:28:06,920 --> 00:28:10,070 Next thing is called as a environmental exposures. 643 00:28:10,070 --> 00:28:13,240 See, environmental exposures are due primarily 644 00:28:13,240 --> 00:28:16,090 to the naturally occurring events, such as lightning, 645 00:28:16,090 --> 00:28:20,750 storms, earthquake, volcanic eruptions, hurricanes, 646 00:28:20,750 --> 00:28:23,300 and extreme weather conditions. 647 00:28:23,300 --> 00:28:26,800 So one particular area of concern, 648 00:28:26,800 --> 00:28:29,410 which is coming from an environmental exposure, 649 00:28:29,410 --> 00:28:31,730 is called as a damage of equipments. 650 00:28:31,730 --> 00:28:33,560 Right now I'm doing this training. 651 00:28:33,560 --> 00:28:35,920 Suddenly there is a power issue and it directly 652 00:28:35,920 --> 00:28:37,160 impacts my hardware. 653 00:28:37,160 --> 00:28:41,260 And because of that, my system get shut down or it get restart, 654 00:28:41,260 --> 00:28:42,380 or it can damage. 655 00:28:42,380 --> 00:28:46,150 So as an auditor, the biggest concern for us 656 00:28:46,150 --> 00:28:48,140 is the damaging of an equipments, 657 00:28:48,140 --> 00:28:49,970 because if the equipment is damaged, 658 00:28:49,970 --> 00:28:52,370 then it directly impact the availability. 659 00:28:52,370 --> 00:28:54,970 We have a different kind of a threats associated 660 00:28:54,970 --> 00:28:58,460 with the hardware equipment, like total failure, 661 00:28:58,460 --> 00:29:00,980 voltage reduce, spike, surge. 662 00:29:00,980 --> 00:29:02,830 So that's why we purchase one system, which 663 00:29:02,830 --> 00:29:05,560 is called as a PCS, power conditioning system. 664 00:29:05,560 --> 00:29:07,790 In your home, we called as a stabilizer, 665 00:29:07,790 --> 00:29:10,220 which is used to stable the power supply. 666 00:29:10,220 --> 00:29:12,760 Along with that, we must require the UPS and generator 667 00:29:12,760 --> 00:29:16,400 to prevent all the uninterrupted interruptions. 668 00:29:16,400 --> 00:29:19,060 So these kind of controls you can basically 669 00:29:19,060 --> 00:29:23,290 introduce to prevent this environmental exposures. 670 00:29:23,290 --> 00:29:26,590 The next important thing is called as a physical access 671 00:29:26,590 --> 00:29:29,740 exposures and control from the auditing perspective. 672 00:29:29,740 --> 00:29:33,400 We also buy a alarm control panels-- 673 00:29:33,400 --> 00:29:36,050 so we also buy alarm control panels, 674 00:29:36,050 --> 00:29:38,740 which is separated from a burglars or security 675 00:29:38,740 --> 00:29:41,150 system, which is located on the premises. 676 00:29:41,150 --> 00:29:44,320 We also go for the smoke detectors. 677 00:29:44,320 --> 00:29:46,113 We have a smoke detector. 678 00:29:46,113 --> 00:29:50,740 679 00:29:50,740 --> 00:29:54,050 It gives the early warning of the smoke. 680 00:29:54,050 --> 00:29:56,060 So this is the smoke detector we have. 681 00:29:56,060 --> 00:30:00,010 If there is a smoke in the room, it get alert and notify 682 00:30:00,010 --> 00:30:02,200 the concerned person. 683 00:30:02,200 --> 00:30:02,990 OK. 684 00:30:02,990 --> 00:30:06,762 So detector should produce the audible alarm when activated. 685 00:30:06,762 --> 00:30:09,220 It should be linked to the monitoring system, but make sure 686 00:30:09,220 --> 00:30:11,560 this monitoring should be separate from the fire 687 00:30:11,560 --> 00:30:12,380 department. 688 00:30:12,380 --> 00:30:14,620 We also need a visual verification 689 00:30:14,620 --> 00:30:17,440 of the presence of water and smoke detectors 690 00:30:17,440 --> 00:30:18,800 in the computer rooms. 691 00:30:18,800 --> 00:30:21,430 I'm sure you have seen the buckets in a red color. 692 00:30:21,430 --> 00:30:26,320 We also need a hand pull fire alarms that 693 00:30:26,320 --> 00:30:28,790 should be placed strategically throughout the facilities, 694 00:30:28,790 --> 00:30:30,700 and it should be placed in such a manner 695 00:30:30,700 --> 00:30:32,330 that it should give the visibility. 696 00:30:32,330 --> 00:30:33,800 That's an important thing. 697 00:30:33,800 --> 00:30:37,150 And that also, that fire extinguisher 698 00:30:37,150 --> 00:30:41,270 should be tagged for inspection and inspected at least annually. 699 00:30:41,270 --> 00:30:45,670 So as an auditor, if you want to audit extinguishers and all 700 00:30:45,670 --> 00:30:47,570 that can check the last review period. 701 00:30:47,570 --> 00:30:49,820 If it's basically exceed by more than one year, 702 00:30:49,820 --> 00:30:52,700 then you can raise that as a finding in your report. 703 00:30:52,700 --> 00:30:57,500 But before that, confirm why it got late, why there is a delay. 704 00:30:57,500 --> 00:31:02,230 But one more important thing as a auditor, testing fire 705 00:31:02,230 --> 00:31:03,850 suppression system is also expensive. 706 00:31:03,850 --> 00:31:06,500 The fire suppression system, it's always expensive to test. 707 00:31:06,500 --> 00:31:08,870 And therefore, as an IS auditor, they 708 00:31:08,870 --> 00:31:10,670 need to limit their test to review 709 00:31:10,670 --> 00:31:13,070 the documentations to ensure system 710 00:31:13,070 --> 00:31:16,850 has been inspected and tested within the last year. 711 00:31:16,850 --> 00:31:18,950 We also have a different kind of controls, 712 00:31:18,950 --> 00:31:24,170 like we need a biometric, something you are-- 713 00:31:24,170 --> 00:31:26,390 OK, we can place because that provide 714 00:31:26,390 --> 00:31:29,260 the appropriate type of accountability in the data 715 00:31:29,260 --> 00:31:29,760 center. 716 00:31:29,760 --> 00:31:32,270 Because in data center, if you just access the data center 717 00:31:32,270 --> 00:31:33,860 based on your ID card and all that, 718 00:31:33,860 --> 00:31:36,155 tomorrow you can deny it was not you 719 00:31:36,155 --> 00:31:37,890 who accessed the data center. 720 00:31:37,890 --> 00:31:40,310 You can tell him that, OK, I misplaced my card 721 00:31:40,310 --> 00:31:43,370 and everything, so might be in my absence someone 722 00:31:43,370 --> 00:31:45,480 has used the card and accessed the data center. 723 00:31:45,480 --> 00:31:49,020 So data center need to prefer the strongest accountability, 724 00:31:49,020 --> 00:31:53,790 and that is why we need a biometric in the data center. 725 00:31:53,790 --> 00:31:56,180 But when you're talking about the biometric, 726 00:31:56,180 --> 00:31:59,430 the biometric is vulnerable for the two errors. 727 00:31:59,430 --> 00:32:04,430 One is called as a FAR and one is called as a FRR. 728 00:32:04,430 --> 00:32:07,850 False acceptance rate, where false user 729 00:32:07,850 --> 00:32:08,993 accepted by the machine. 730 00:32:08,993 --> 00:32:10,410 Example, I am not authorized user, 731 00:32:10,410 --> 00:32:12,690 but machine has accepted me as an authorized. 732 00:32:12,690 --> 00:32:15,870 It has happened sometime when I try to mimic someone voice. 733 00:32:15,870 --> 00:32:18,940 They assume it is actually authorized user and give me 734 00:32:18,940 --> 00:32:19,440 access. 735 00:32:19,440 --> 00:32:21,630 That is called as a false acceptance rate. 736 00:32:21,630 --> 00:32:23,570 It is a biggest concern for an auditor. 737 00:32:23,570 --> 00:32:27,590 And false rejection rate where the authorized user falsely 738 00:32:27,590 --> 00:32:28,920 rejected by the machine. 739 00:32:28,920 --> 00:32:33,650 Example, like-- example, like I came back from the office 740 00:32:33,650 --> 00:32:36,210 and I was wearing gloves and all that. 741 00:32:36,210 --> 00:32:38,490 My hands are completely dry and all that. 742 00:32:38,490 --> 00:32:42,840 So when I'm trying to place my fingers or thumb on the scanner, 743 00:32:42,840 --> 00:32:44,160 it has failed to recognize. 744 00:32:44,160 --> 00:32:46,500 So this is basically because of FRR. 745 00:32:46,500 --> 00:32:50,060 So the point where FAR and FRR basically intersect, 746 00:32:50,060 --> 00:32:51,870 that is the best optimum point. 747 00:32:51,870 --> 00:32:57,290 So that is the most important thing we need to consider. 748 00:32:57,290 --> 00:32:59,900 Another important point that we need to understand 749 00:32:59,900 --> 00:33:01,290 is security guards. 750 00:33:01,290 --> 00:33:05,810 Security guards are very useful if supplemental by the video 751 00:33:05,810 --> 00:33:07,560 cameras and lock doors. 752 00:33:07,560 --> 00:33:11,420 So guards should be supplied by an external agency that 753 00:33:11,420 --> 00:33:13,310 should be bonded to protect the organization 754 00:33:13,310 --> 00:33:14,640 from all kind of losses. 755 00:33:14,640 --> 00:33:17,060 We don't hire the in-house security guards 756 00:33:17,060 --> 00:33:19,500 because this is how frauds are possible. 757 00:33:19,500 --> 00:33:22,620 So we outsource a third-party agencies which hire them, 758 00:33:22,620 --> 00:33:26,180 and this is how we separate the job activities. 759 00:33:26,180 --> 00:33:29,570 So let's move to the next part. 760 00:33:29,570 --> 00:33:33,050 The next section is called as the identity and access 761 00:33:33,050 --> 00:33:33,810 management. 762 00:33:33,810 --> 00:33:37,700 See, we have IAAA, identification, authentication, 763 00:33:37,700 --> 00:33:39,170 and authorization. 764 00:33:39,170 --> 00:33:48,410 Identification, authentication, and authorization. 765 00:33:48,410 --> 00:33:50,290 Suppose I went to airport. 766 00:33:50,290 --> 00:33:53,210 767 00:33:53,210 --> 00:33:55,700 I went to airport and I say, hey, my name is Prabh, 768 00:33:55,700 --> 00:33:58,560 and I'm traveling from Trivandrum to Delhi. 769 00:33:58,560 --> 00:34:01,140 So they will check my name in the list. 770 00:34:01,140 --> 00:34:03,750 Yes, they confirm my name in the list. 771 00:34:03,750 --> 00:34:05,630 But they also need to confirm, is it 772 00:34:05,630 --> 00:34:07,440 a same Prabh who claimed to be? 773 00:34:07,440 --> 00:34:09,090 I will show my Aadhaar card. 774 00:34:09,090 --> 00:34:12,650 I will show my PAN card that basically 775 00:34:12,650 --> 00:34:14,185 prove, yes, I am Prabh. 776 00:34:14,185 --> 00:34:15,810 So that is called as an authentication, 777 00:34:15,810 --> 00:34:17,090 the person who claimed to be. 778 00:34:17,090 --> 00:34:19,520 And based on that, they give me the access 779 00:34:19,520 --> 00:34:23,330 to a specific seat, that is called as an authorization. 780 00:34:23,330 --> 00:34:29,060 Under the authorization, we also use the access control. 781 00:34:29,060 --> 00:34:31,199 So we have a different type of access control. 782 00:34:31,199 --> 00:34:34,260 But in CISA, they talk about two type of access control. 783 00:34:34,260 --> 00:34:36,659 One is called as a mandatory and one is called DAC. 784 00:34:36,659 --> 00:34:38,389 What is DAC? 785 00:34:38,389 --> 00:34:41,659 DAC stands for discretionary, which is also 786 00:34:41,659 --> 00:34:43,036 called as a distribution. 787 00:34:43,036 --> 00:34:46,774 788 00:34:46,774 --> 00:34:49,370 Before marriage, my life, my rule. 789 00:34:49,370 --> 00:34:53,010 Same like that, which is called as a distributed access control. 790 00:34:53,010 --> 00:34:55,010 What is the meaning of that is, suppose 791 00:34:55,010 --> 00:34:57,940 this is the system we have, system A. OK. 792 00:34:57,940 --> 00:35:03,820 So we have a user 1, we have a user 2, and we have a user 3. 793 00:35:03,820 --> 00:35:07,930 User 1 login into the system and he create a folder, 794 00:35:07,930 --> 00:35:10,390 but he deny user 2 and user 3. 795 00:35:10,390 --> 00:35:14,370 User 2 login into the folder, user login to the system, 796 00:35:14,370 --> 00:35:15,610 and he create a folder. 797 00:35:15,610 --> 00:35:17,680 He deny user 1 and user 3. 798 00:35:17,680 --> 00:35:20,490 User 3 login into the system, he create a folder, 799 00:35:20,490 --> 00:35:22,590 and he deny other two. 800 00:35:22,590 --> 00:35:24,700 So same your workgroup environment. 801 00:35:24,700 --> 00:35:28,180 When you login into your laptop or desktop, you create a folder. 802 00:35:28,180 --> 00:35:30,720 You deny your family member. 803 00:35:30,720 --> 00:35:33,697 One of your family member has access to that particular system 804 00:35:33,697 --> 00:35:35,530 and they create the folder, they deny other. 805 00:35:35,530 --> 00:35:38,190 So this is called as a discretionary, distributed 806 00:35:38,190 --> 00:35:40,620 access control, where the multiple parties are 807 00:35:40,620 --> 00:35:43,418 involved in giving an authorizing access. 808 00:35:43,418 --> 00:35:45,210 But when we're talking about the mandatory, 809 00:35:45,210 --> 00:35:49,210 it is a default system access used in a military and all that. 810 00:35:49,210 --> 00:35:51,310 And the best example is in your windows, 811 00:35:51,310 --> 00:35:53,640 if you really want to modify the CMD 812 00:35:53,640 --> 00:35:55,830 or you want to access any application, 813 00:35:55,830 --> 00:35:57,670 you need to run as an administrator. 814 00:35:57,670 --> 00:35:58,812 That is a mandatory thing. 815 00:35:58,812 --> 00:36:00,270 So it's an access control, which is 816 00:36:00,270 --> 00:36:02,710 default embedded in the system. 817 00:36:02,710 --> 00:36:04,950 And that is called as a centralized access 818 00:36:04,950 --> 00:36:07,720 control, which is also called as an NDAC. 819 00:36:07,720 --> 00:36:10,330 So MAC is a system-based access. 820 00:36:10,330 --> 00:36:12,030 They have a predefined logics. 821 00:36:12,030 --> 00:36:14,740 In CMD, if you want to perform some admin command, 822 00:36:14,740 --> 00:36:16,440 you need to run as a CMD. 823 00:36:16,440 --> 00:36:18,390 In the Linux, if you want to perform 824 00:36:18,390 --> 00:36:21,760 any kind of a admin activity, you need to run sudo command. 825 00:36:21,760 --> 00:36:24,750 It is a mandatory access control. 826 00:36:24,750 --> 00:36:28,260 So when you're talking about authentication, 827 00:36:28,260 --> 00:36:31,660 authentication basically has a three factors. 828 00:36:31,660 --> 00:36:33,870 Something you know, which is your password, which 829 00:36:33,870 --> 00:36:36,640 is easy to compromise; something you have, 830 00:36:36,640 --> 00:36:39,850 which is called as a ownership, and something you are, 831 00:36:39,850 --> 00:36:42,280 which is a biometric, and somewhere you are nowadays. 832 00:36:42,280 --> 00:36:46,120 So token device and one-time password is something you have, 833 00:36:46,120 --> 00:36:47,500 which is called as a ownership. 834 00:36:47,500 --> 00:36:49,330 Next is called as a single sign-on. 835 00:36:49,330 --> 00:36:50,970 Single sign-on means you log in once 836 00:36:50,970 --> 00:36:53,070 and access the multiple resources. 837 00:36:53,070 --> 00:36:55,085 An example, imagine like-- 838 00:36:55,085 --> 00:36:57,660 839 00:36:57,660 --> 00:37:00,460 when you're talking about a single sign-on, one example 840 00:37:00,460 --> 00:37:01,870 we have about Gmail. 841 00:37:01,870 --> 00:37:05,200 So you open the gmail.com, you log in to the Gmail, 842 00:37:05,200 --> 00:37:10,167 and from there, you open doc, D-O-C, dot google.com. 843 00:37:10,167 --> 00:37:11,500 It doesn't ask for the password. 844 00:37:11,500 --> 00:37:12,730 Then you type YouTube. 845 00:37:12,730 --> 00:37:14,080 It doesn't ask for the password. 846 00:37:14,080 --> 00:37:15,207 Then you type any document. 847 00:37:15,207 --> 00:37:16,540 It doesn't ask for the password. 848 00:37:16,540 --> 00:37:18,490 When you open Drive, it doesn't ask for the password. 849 00:37:18,490 --> 00:37:20,560 So that is the best example of single sign-on. 850 00:37:20,560 --> 00:37:22,050 You need to authenticate once. 851 00:37:22,050 --> 00:37:24,930 And based on that, you can able to access any number of services 852 00:37:24,930 --> 00:37:25,840 of a Gmail. 853 00:37:25,840 --> 00:37:29,230 But single sign-on is a concept we use within a one domain. 854 00:37:29,230 --> 00:37:31,410 But federation, I'm sorry for the spelling. 855 00:37:31,410 --> 00:37:32,060 In hurry. 856 00:37:32,060 --> 00:37:32,560 I'm sorry. 857 00:37:32,560 --> 00:37:34,090 I can correct that. 858 00:37:34,090 --> 00:37:37,380 So federation is basically where you authenticate with one domain 859 00:37:37,380 --> 00:37:38,650 and access the other domain. 860 00:37:38,650 --> 00:37:41,400 So federation we use between the two companies, 861 00:37:41,400 --> 00:37:42,840 between the two domain. 862 00:37:42,840 --> 00:37:57,610 Example like we have a booking.com and we have a Gmail. 863 00:37:57,610 --> 00:38:02,470 I'm sure you have noticed user went to booking.com. 864 00:38:02,470 --> 00:38:04,700 Now booking.com giving him option, 865 00:38:04,700 --> 00:38:07,160 log in with your Google ID or sign up. 866 00:38:07,160 --> 00:38:11,260 Definitely to save time, I will select login with the Gmail ID. 867 00:38:11,260 --> 00:38:13,990 So booking.com redirect user to the Gmail. 868 00:38:13,990 --> 00:38:16,390 To the Gmail, I will basically provide my username 869 00:38:16,390 --> 00:38:19,090 and password, and against that Gmail provide the authorization 870 00:38:19,090 --> 00:38:22,180 ticket, and that authentication ticket or authorization ticket 871 00:38:22,180 --> 00:38:24,430 I will provide to Booking, which confirm, yes, you are 872 00:38:24,430 --> 00:38:25,690 the authorized user of Gmail. 873 00:38:25,690 --> 00:38:28,130 And based on that booking.com, provide the resource. 874 00:38:28,130 --> 00:38:31,210 So in this case, Gmail is the identity provider 875 00:38:31,210 --> 00:38:34,150 who verify your identity and booking.com is 876 00:38:34,150 --> 00:38:36,290 a service provider who provide you services. 877 00:38:36,290 --> 00:38:43,010 So federation is basically used across the multiple systems. 878 00:38:43,010 --> 00:38:45,520 Biometric establish the strongest form 879 00:38:45,520 --> 00:38:47,540 of accountability, which cannot be spoofed. 880 00:38:47,540 --> 00:38:49,610 So we have a two scanners. 881 00:38:49,610 --> 00:38:50,580 One is called retina. 882 00:38:50,580 --> 00:38:53,380 883 00:38:53,380 --> 00:38:57,250 And we have a second is called as a iris. 884 00:38:57,250 --> 00:39:03,970 Iris is-- so when you're talking about retina, 885 00:39:03,970 --> 00:39:06,650 retina scan the blood vessel of your eyes. 886 00:39:06,650 --> 00:39:12,100 OK, very accurate, but difficult to implement because it has 887 00:39:12,100 --> 00:39:14,950 acceptance issues, whereas the iris 888 00:39:14,950 --> 00:39:16,580 is accurate with acceptance. 889 00:39:16,580 --> 00:39:18,410 If you ask me which was more accurate, 890 00:39:18,410 --> 00:39:20,350 retina is more accurate because difficult 891 00:39:20,350 --> 00:39:22,310 to spoof someone's blood vessels. 892 00:39:22,310 --> 00:39:26,200 But iris is a second best accept and accurate. 893 00:39:26,200 --> 00:39:28,550 When we are going for the biometric solutions, 894 00:39:28,550 --> 00:39:31,970 as an auditor, we also need to check the privacy policy 895 00:39:31,970 --> 00:39:35,050 because implementing a biometric system in the organization 896 00:39:35,050 --> 00:39:36,830 requires the user acceptance. 897 00:39:36,830 --> 00:39:39,520 OK, so acceptance for the solution 898 00:39:39,520 --> 00:39:41,180 is very less in the organization. 899 00:39:41,180 --> 00:39:43,240 So we need to review the data privacy policies 900 00:39:43,240 --> 00:39:46,250 and see how they're going to use the biometric data. 901 00:39:46,250 --> 00:39:49,630 So let me explain you how the biometric enrollment works. 902 00:39:49,630 --> 00:39:51,860 So whenever you register for biometric, 903 00:39:51,860 --> 00:39:53,860 suppose this is the scanner we have. 904 00:39:53,860 --> 00:39:55,830 Suppose this is the scanner we have. 905 00:39:55,830 --> 00:39:59,380 906 00:39:59,380 --> 00:40:04,130 So you place your fingers or you place your thumb on the scanner. 907 00:40:04,130 --> 00:40:10,300 Scanner will capture the image and stored in a form of minutes. 908 00:40:10,300 --> 00:40:11,800 Minutes we call it-- 909 00:40:11,800 --> 00:40:13,720 minutes or metrics we call. 910 00:40:13,720 --> 00:40:17,800 Or you can say in a form of template. 911 00:40:17,800 --> 00:40:19,910 It store in a form of template. 912 00:40:19,910 --> 00:40:22,180 So next time when you place finger, 913 00:40:22,180 --> 00:40:26,050 it basically scan and generate that template 914 00:40:26,050 --> 00:40:28,610 and compare against the stored template. 915 00:40:28,610 --> 00:40:29,870 If it match, it give access. 916 00:40:29,870 --> 00:40:32,770 So this is-- they do like a one-to-many or many-to-many 917 00:40:32,770 --> 00:40:34,420 identification. 918 00:40:34,420 --> 00:40:36,530 Next important thing audit login. 919 00:40:36,530 --> 00:40:38,890 It's very important to log everything 920 00:40:38,890 --> 00:40:41,810 by which we can able to track the accountability. 921 00:40:41,810 --> 00:40:44,330 So audit logging is another important practice 922 00:40:44,330 --> 00:40:45,580 we need to follow. 923 00:40:45,580 --> 00:40:50,170 The next solution we have a DLP, data leak prevention. 924 00:40:50,170 --> 00:40:53,500 Ultimate objective of DLP is to ensure data should not 925 00:40:53,500 --> 00:40:55,720 live in an unauthorized manner. 926 00:40:55,720 --> 00:40:59,920 You have seen a lot of employees use their confidential data 927 00:40:59,920 --> 00:41:02,540 and they try to send on their public portals. 928 00:41:02,540 --> 00:41:06,020 So we need to prevent this data exfiltration. 929 00:41:06,020 --> 00:41:07,960 Data exfiltration definition means 930 00:41:07,960 --> 00:41:12,550 data should not leave the organization environment. 931 00:41:12,550 --> 00:41:15,860 So we have a DLP here, we have DLP here. 932 00:41:15,860 --> 00:41:17,530 So example I connect the pen drive 933 00:41:17,530 --> 00:41:18,950 and trying to copy the data. 934 00:41:18,950 --> 00:41:21,260 That is also data leaving in an unauthorized manner, 935 00:41:21,260 --> 00:41:23,530 but DLP there will try to block. 936 00:41:23,530 --> 00:41:26,360 You opening a Gmail and try to upload data on a Gmail. 937 00:41:26,360 --> 00:41:28,670 So there is an endpoint DLP or network-based DLP 938 00:41:28,670 --> 00:41:30,170 will try to block the content. 939 00:41:30,170 --> 00:41:34,730 So ultimate goal of a DLP is to prevent the data exfiltration. 940 00:41:34,730 --> 00:41:37,600 It is not a solution introduced to monitor what is 941 00:41:37,600 --> 00:41:39,120 coming from outside to inside. 942 00:41:39,120 --> 00:41:39,620 No. 943 00:41:39,620 --> 00:41:42,940 It is a solution which monitor what is leaving the organization 944 00:41:42,940 --> 00:41:43,910 data. 945 00:41:43,910 --> 00:41:45,720 What is leaving the organization control. 946 00:41:45,720 --> 00:41:48,330 Because internal threat is a difficult threat. 947 00:41:48,330 --> 00:41:50,220 It's a concern for the organization 948 00:41:50,220 --> 00:41:54,700 and it is the biggest threat for the organization. 949 00:41:54,700 --> 00:42:00,620 The next thing we have network and endpoint security, most 950 00:42:00,620 --> 00:42:02,690 important section of Domain 5. 951 00:42:02,690 --> 00:42:05,720 Now we have a different type of circuits. 952 00:42:05,720 --> 00:42:06,540 What is circuit? 953 00:42:06,540 --> 00:42:10,040 Circuit is a link by which we transfer the data. 954 00:42:10,040 --> 00:42:12,782 So when you're talking about circuit, the first circuit 955 00:42:12,782 --> 00:42:14,490 they are talking about dedicated circuit. 956 00:42:14,490 --> 00:42:22,550 So we have a user A and we have a user B. Same like the circuit 957 00:42:22,550 --> 00:42:27,050 is a link which is basically up between the two party. 958 00:42:27,050 --> 00:42:30,065 And you send the data through this link. 959 00:42:30,065 --> 00:42:33,510 Another example is you call your friend. 960 00:42:33,510 --> 00:42:34,580 So what you have to do? 961 00:42:34,580 --> 00:42:36,120 You need to dial his number. 962 00:42:36,120 --> 00:42:39,630 And once you dial his number, the link will be established. 963 00:42:39,630 --> 00:42:40,860 And then you communicate. 964 00:42:40,860 --> 00:42:43,500 And once it is done, you basically discard. 965 00:42:43,500 --> 00:42:45,060 But that is a circuit. 966 00:42:45,060 --> 00:42:47,070 But that is not a dedicated. 967 00:42:47,070 --> 00:42:48,630 It is a temporary circuit. 968 00:42:48,630 --> 00:42:51,330 But dedicated circuit is link is always up. 969 00:42:51,330 --> 00:42:53,310 Whenever you dial, it will be available. 970 00:42:53,310 --> 00:42:55,410 Second is called as a switch circuit. 971 00:42:55,410 --> 00:42:58,040 Switch circuit I gave you the example of the switch circuit 972 00:42:58,040 --> 00:43:00,800 is you dial the person number, you temporarily 973 00:43:00,800 --> 00:43:03,380 establish the connection, you are done, and you finish. 974 00:43:03,380 --> 00:43:05,790 You are done with that and you can discard the things. 975 00:43:05,790 --> 00:43:08,270 So that is the difference between the dedicated and switch 976 00:43:08,270 --> 00:43:08,970 circuit. 977 00:43:08,970 --> 00:43:11,190 We also have a packet switching technology. 978 00:43:11,190 --> 00:43:14,510 Packet switching technology today is used in a 4G. 979 00:43:14,510 --> 00:43:16,700 I am sure you have seen the Jio, Airtel, 980 00:43:16,700 --> 00:43:19,500 and all that offer the packet switching technology only. 981 00:43:19,500 --> 00:43:21,450 That is why if you do the WhatsApp call, 982 00:43:21,450 --> 00:43:23,600 it has a better quality than the voice call 983 00:43:23,600 --> 00:43:26,600 because packet switching was primarily introduced 984 00:43:26,600 --> 00:43:28,110 for the data transfer. 985 00:43:28,110 --> 00:43:29,340 Let's take an example. 986 00:43:29,340 --> 00:43:32,060 We have a system A, we have a system 987 00:43:32,060 --> 00:43:36,450 B. So this is my internet. 988 00:43:36,450 --> 00:43:37,830 We have a routers here. 989 00:43:37,830 --> 00:43:42,990 So what packet switching does, we have a data here, 990 00:43:42,990 --> 00:43:44,670 data divided into packets. 991 00:43:44,670 --> 00:43:46,400 So some packets goes through this route 992 00:43:46,400 --> 00:43:48,650 and some packet goes through this route. 993 00:43:48,650 --> 00:43:52,430 And by end of the day, it get delivered to the B. 994 00:43:52,430 --> 00:43:55,620 It doesn't give assurance in what state it basically receive, 995 00:43:55,620 --> 00:43:57,180 but they just send the data. 996 00:43:57,180 --> 00:43:59,390 That is where the packet switching is primarily 997 00:43:59,390 --> 00:44:02,610 designed for the data transfer, not for the voice transfer. 998 00:44:02,610 --> 00:44:04,680 That's why if you're in your 4G phone, 999 00:44:04,680 --> 00:44:07,680 you can see the V-O-L-T-E. OK. 1000 00:44:07,680 --> 00:44:10,500 And your landline, it's not having a dial up tones. 1001 00:44:10,500 --> 00:44:11,730 It has some other tones. 1002 00:44:11,730 --> 00:44:15,140 So today your all calls is basically 1003 00:44:15,140 --> 00:44:18,710 done through VoIP by using a packet switching only. 1004 00:44:18,710 --> 00:44:21,530 You also need to understand the different type of networks, 1005 00:44:21,530 --> 00:44:24,320 like LAN, which is basically a group of computers 1006 00:44:24,320 --> 00:44:28,430 within the organization, a group of system over the internet that 1007 00:44:28,430 --> 00:44:33,140 is called as a WAN, and access the storage is called as a SAN. 1008 00:44:33,140 --> 00:44:37,080 DNS is a service which translate name to IP and IP to name. 1009 00:44:37,080 --> 00:44:39,680 Let's take an example of the smartphone. 1010 00:44:39,680 --> 00:44:42,530 It is difficult for you to remember your friend's number. 1011 00:44:42,530 --> 00:44:45,380 So what you did, you saved the friend's number with the name 1012 00:44:45,380 --> 00:44:49,230 because human mind remember alphabets over the numbers. 1013 00:44:49,230 --> 00:44:51,930 So if I want to call my friend Pankaj. 1014 00:44:51,930 --> 00:44:54,120 So I will type Pankaj Delhi. 1015 00:44:54,120 --> 00:44:57,295 So it will see by name and it map with the number. 1016 00:44:57,295 --> 00:44:58,670 So automatically dial the number. 1017 00:44:58,670 --> 00:45:01,650 Same like you open a browser type google.com. 1018 00:45:01,650 --> 00:45:04,070 They send the request to a specific server which 1019 00:45:04,070 --> 00:45:06,440 translate the name to IP, and then it 1020 00:45:06,440 --> 00:45:09,030 will redirect you to the particular web server, 1021 00:45:09,030 --> 00:45:09,630 like this way. 1022 00:45:09,630 --> 00:45:13,670 So we client and we have a DNS server here. 1023 00:45:13,670 --> 00:45:16,350 And this is my web server. 1024 00:45:16,350 --> 00:45:18,630 So client has requested google.com. 1025 00:45:18,630 --> 00:45:19,830 That request goes to DNS. 1026 00:45:19,830 --> 00:45:20,630 DNS said, no, boss. 1027 00:45:20,630 --> 00:45:23,490 Google.com on 1.1.1.1. 1028 00:45:23,490 --> 00:45:26,280 And this is how it redirect to 1.1.1. 1029 00:45:26,280 --> 00:45:28,380 And then web server provide the content. 1030 00:45:28,380 --> 00:45:31,580 So DNS is a service which translate name to IP and IP 1031 00:45:31,580 --> 00:45:32,430 to name. 1032 00:45:32,430 --> 00:45:34,500 The next thing is called as a DHCP. 1033 00:45:34,500 --> 00:45:37,100 DHCP is a service which basically 1034 00:45:37,100 --> 00:45:40,210 provide the automated IP address to all the systems. 1035 00:45:40,210 --> 00:45:42,910 It is difficult to manage the IPs in every system. 1036 00:45:42,910 --> 00:45:45,390 So what I need, I want a one centralized server 1037 00:45:45,390 --> 00:45:49,150 from where I need to assign the IP address to all the clients. 1038 00:45:49,150 --> 00:45:52,240 The next important topic is called as a topology. 1039 00:45:52,240 --> 00:45:55,190 Topology is provide the layout of the network. 1040 00:45:55,190 --> 00:45:57,970 And then we have a media type. 1041 00:45:57,970 --> 00:46:00,300 So we have a twisted pair and fiber optic. 1042 00:46:00,300 --> 00:46:02,010 Twisted pair are twisted together 1043 00:46:02,010 --> 00:46:03,817 by which it reduces the attenuation. 1044 00:46:03,817 --> 00:46:04,650 What is attenuation? 1045 00:46:04,650 --> 00:46:06,130 Is loss of signal. 1046 00:46:06,130 --> 00:46:10,710 Fiber optic is basically providing a very effective 1047 00:46:10,710 --> 00:46:14,670 speed, and it is having a low latency and better than twisted 1048 00:46:14,670 --> 00:46:18,240 pair to send the sensitive data. 1049 00:46:18,240 --> 00:46:22,210 So this is the first part of this particular series. 1050 00:46:22,210 --> 00:46:24,900 I'm planning to make another series next week 1051 00:46:24,900 --> 00:46:27,190 and we'll see what can be done. 1052 00:46:27,190 --> 00:46:29,500 This is just a first part of the Domain 5. 1053 00:46:29,500 --> 00:46:32,820 If you find this video useful, do share your feedback and do 1054 00:46:32,820 --> 00:46:34,830 let me know what are the other videos should 1055 00:46:34,830 --> 00:46:36,160 I make on the CISA? 1056 00:46:36,160 --> 00:46:38,090 Thank you.