CISA Domain 5 Exam Cram Part 1 2021

Edit subtitles

0:00 - 0:03

[MUSIC PLAYING]
0:03 - 0:07
0:07 - 0:08

Hello, team.
0:08 - 0:10

Good morning, good
afternoon, good evening.
0:10 - 0:11

And today we are
going to discuss
0:11 - 0:16

about CISA exam review, Domain
5, Protection of Information
0:16 - 0:16

Asset.
0:16 - 0:20

I already made one video on
domain 1, part 1 and part two,
0:20 - 0:23

and I got a great
response on that video.
0:23 - 0:25

And based on that, I
thought, let's continue
0:25 - 0:27

the series of that session.
0:27 - 0:29

And that is why I have
started with the Domain 5
0:29 - 0:32

first because lot
of CISA aspirants
0:32 - 0:34

are bit struggling
with the Domain 5.
0:34 - 0:38

So with that state of mind,
I am making this video.
0:38 - 0:40

If you are new to this
channel, do subscribe and click
0:40 - 0:43

on the bell icon so you should
not miss any of my videos.
0:43 - 0:46

And my name is Prabh Nair.
0:46 - 0:50

For more information, you can
refer my LinkedIn profile.
0:50 - 0:52

So let's start with
the first part.
0:52 - 0:53

OK.
0:53 - 0:56

The first part in this video,
in this particular session
0:56 - 1:01

or in the Domain 5, we have
information asset security
1:01 - 1:04

framework standard
and guideline.
1:04 - 1:08

So when you're talking about
industries, many industries,
1:08 - 1:10

they basically use standards.
1:10 - 1:14

They use frameworks
to build some kind
1:14 - 1:17

of a controls and governance
in the organization.
1:17 - 1:20

One example, we have
a PCI DSS, which
1:20 - 1:22

is used as a standard
for all organization
1:22 - 1:25

to process the payment cards.
1:25 - 1:27

So this is the example
of industry standard.
1:27 - 1:29

But compliance is not
required by the law
1:29 - 1:34

because it is just used to
achieve the defined objectives.
1:34 - 1:37

Then we have some standards
are found in many industries,
1:37 - 1:40

including a health care,
accounting, audits,
1:40 - 1:41

and telecommunication.
1:41 - 1:44

In some industries, such
as electrical power,
1:44 - 1:47

regulations require
compliance with the standard.
1:47 - 1:49

And to meet the
requirement of a standard,
1:49 - 1:53

framework is often used to
describe how the organization
1:53 - 1:55

can achieve the compliance.
1:55 - 1:58

Let's take an example.
1:58 - 2:01

If you talk about
one scenario here.
2:01 - 2:05
2:05 - 2:09

Every organization always
start with the strategy.
2:09 - 2:10

They create a strategy.
2:10 - 2:13
2:13 - 2:17

Strategy is called
as a long-term plan.
2:17 - 2:21

And then that
strategy is further
2:21 - 2:23

split into the tactical plan.
2:23 - 2:27
2:27 - 2:30

And then we have a
operational plan.
2:30 - 2:36
2:36 - 2:39

Now when you're talking
about this strategy
2:39 - 2:43

was created to meet
the GDPR requirement.
2:43 - 2:46

GDPR is a data
privacy regulation EU.
2:46 - 2:52

Now I have a company
in Kerala and they
2:52 - 2:55

need to comply with the
GDPR definitely because we
2:55 - 2:57

have some employees--
2:57 - 3:03

we have some employees here
who are residing in Kerala
3:03 - 3:08

and they're trying to access the
data, which is based out in EU.
3:08 - 3:12

And definitely, if you're
trying to access the data of EU,
3:12 - 3:14

you need to comply with GDPR.
3:14 - 3:18

So that were clear the
GDPR we need in the system.
3:18 - 3:23

But the question is
that, what controls
3:23 - 3:28

we required by which we can
able to comply with the GDPR?
3:28 - 3:34

So first thing what we did
we introduced the framework.
3:34 - 3:36

In Hindi, it is called dhaancha.
3:36 - 3:40

In English, it is called
as a structure, which
3:40 - 3:45

talk about the necessary
practice and procedures,
3:45 - 3:47

which required to achieve
the define objective.
3:47 - 3:51

Here, I want a privacy
system by which
3:51 - 3:53

I can basically compliance
my people process
3:53 - 3:55

technology with GDPR.
3:55 - 3:58

So I want a privacy
management system.
3:58 - 4:02

So we found some frameworks for
the privacy management systems.
4:02 - 4:06

And they basically have
a process and practices.
4:06 - 4:08

So one of the
process in practice
4:08 - 4:11

they say that, OK,
every system required
4:11 - 4:14

to be protected
with the password.
4:14 - 4:16

So they give me
one kind of freedom
4:16 - 4:20

that, OK, I want a
password in the system.
4:20 - 4:22

But now the question
is that, should I
4:22 - 4:25

go for a specific practice
and process, which
4:25 - 4:27

is given as per the
framework, or should I
4:27 - 4:31

go for any kind of a industry
standard for a benchmark?
4:31 - 4:35

And there, we basically
introduce the standard.
4:35 - 4:41

Now as per the ISO
27001, they say
4:41 - 4:44

that system must be protected
with the password with the eight
4:44 - 4:44

character.
4:44 - 4:48

So this is something is
a matrix we introduced.
4:48 - 4:50

So that is why we say
first we introduce
4:50 - 4:55

a framework, which helped
me to build the structure.
4:55 - 4:57

Same like when you
are building a house,
4:57 - 4:59

you first design the house.
4:59 - 5:02

Here, I need a balcony,
here you need a first floor,
5:02 - 5:04

here we need a second floor,
here we need a third--
5:04 - 5:05

Sorry.
5:05 - 5:08

We need a first room, second
room, third room, and then
5:08 - 5:10

we decide we need
a bed in each room.
5:10 - 5:12

So this is as per the design.
5:12 - 5:14

But what is a standard bed?
5:14 - 5:17

What is a standard sofa?
5:17 - 5:19

What is a standard
door we required?
5:19 - 5:22

So we used to say that
it should be ISO 9001
5:22 - 5:24

or they have their own standard.
5:24 - 5:26

So standard was
basically introduced
5:26 - 5:28

to measure the effectiveness.
5:28 - 5:32

Standard was basically
introduced to set the benchmark.
5:32 - 5:35

So whenever we are
building any kind
5:35 - 5:40

of a system in the organization,
first we adopt the framework.
5:40 - 5:42

The framework comes with
a practice and procedures.
5:42 - 5:45

And to enhance that
practice and procedure,
5:45 - 5:47

then we can go for the
specialization standard.
5:47 - 5:50

In this example, I want
to comply with GDPR.
5:50 - 5:52

I want a privacy system
in the organization.
5:52 - 5:54

So I adopted one of
the privacy framework.
5:54 - 5:56

Now, in that privacy
framework, one
5:56 - 5:59

of the practice and procedure
is must have a password.
5:59 - 6:00

Now I have a two choice.
6:00 - 6:01

I can create my
own password, which
6:01 - 6:04

can be used because
framework can be modified
6:04 - 6:06

as per your business objective.
6:06 - 6:09

But if you basically adopt
the standard because ISO
6:09 - 6:12

claim you must have
eight character password.
6:12 - 6:14

So eight character
is a strong password.
6:14 - 6:17

And tomorrow, when I claimed
in the industry that,
6:17 - 6:21

yes, I am a ISO 27001 certified
because I am following
6:21 - 6:22

their particular standard.
6:22 - 6:25

Same like CISA, you
are pursuing just
6:25 - 6:27

for knowledge that
is a framework.
6:27 - 6:30

But in CISA, you need to
read those stuff also,
6:30 - 6:32

which is not relevant
to your profile,
6:32 - 6:34

but that is required
for the exam
6:34 - 6:35

because tomorrow you
are going to use CISA
6:35 - 6:38

as a name standard in your CV.
6:38 - 6:42

So that is why in the Domain
5, the most important element,
6:42 - 6:44

you need to know the frameworks.
6:44 - 6:47
6:47 - 6:51

So that is why in the Domain
5, the Domain 5 itself,
6:51 - 6:54

starting with the auditing, the
information security management
6:54 - 6:58

framework and ultimate goal of
information security management
6:58 - 7:02

framework is to reduce the
risk to an acceptable level.
7:02 - 7:04

So we have a NIST
framework which
7:04 - 7:07

talks about the
best practice, how
7:07 - 7:09

to achieve the cybersecurity, or
how to achieve the information
7:09 - 7:11

security in the organization.
7:11 - 7:13

Let me show you the
document, how it look like.
7:13 - 7:16
7:16 - 7:19

So this is the document
we have for the NIST.
7:19 - 7:24

If you can see that, they have
organized the entire process
7:24 - 7:30

into some categories, like
identifies where they are
7:30 - 7:31

talking about we
need a governance,
7:31 - 7:33

and what is required
in the governance
7:33 - 7:36

they talk about these
are the practices.
7:36 - 7:38

And if you want to set
any kind of a benchmark
7:38 - 7:40

against something, you
need to claim we have
7:40 - 7:44

a respective controls also.
7:44 - 7:45

So you can see here.
7:45 - 7:47

Then if I zoom it--
7:47 - 7:50

now, if I join one
company and where
7:50 - 7:54

I want the information security
as a system I want to introduce.
7:54 - 7:58

So I can refer this NIST
framework based on my knowledge,
7:58 - 8:00

I can go by step
by step process.
8:00 - 8:03

They say, OK, as per the
framework control one,
8:03 - 8:05

you must have an
asset management.
8:05 - 8:08

Now in this case,
what is a subcategory,
8:08 - 8:10

like physical device and
system within the organizations
8:10 - 8:11

are inventoried.
8:11 - 8:14

Software platforms
and applications
8:14 - 8:16

within the organizations
are inventoried.
8:16 - 8:19

Organization communications
and data flows are mapped.
8:19 - 8:22

External information
systems are cataloged.
8:22 - 8:26

Resources are prioritized
based on the classification
8:26 - 8:29

criticality and business
value, and cyber security roles
8:29 - 8:32

and responsibility for entire
workforce in third party
8:32 - 8:33

establish.
8:33 - 8:37

Now they have a specific
controls for that in detail.
8:37 - 8:39

So for that, we can
refer the standard.
8:39 - 8:42

So standard was introduced
to measure the effectiveness.
8:42 - 8:44

So this is how we
can basically adopt
8:44 - 8:48

any framework I can basically
scope as per my business
8:48 - 8:50

requirement by which
I can eliminate
8:50 - 8:52

the need for implementing
this entire framework
8:52 - 8:55

and tailor it as per
my business choice.
8:55 - 8:59

So this is what we called as a
information security framework
8:59 - 9:01

or cyber security framework.
9:01 - 9:06

Now coming back, so in
Domain 5, the first part
9:06 - 9:09

we talk about audit the
information security management
9:09 - 9:13

framework so you can adopt
any kind of a benchmark, which
9:13 - 9:16

is approved benchmark
from the organization.
9:16 - 9:17

And based on that,
you can assess.
9:17 - 9:20

See, when we're talking
about any governance,
9:20 - 9:22

policy is the foundation
for any governance.
9:22 - 9:23

What is governance like?
9:23 - 9:25

In order to manage kids at home.
9:25 - 9:27

That is your governance.
9:27 - 9:30

Manage country, run
country's operation.
9:30 - 9:31

That is a governance.
9:31 - 9:34

So governance is
a-- governance is
9:34 - 9:36

an important part of the
organization and policy is
9:36 - 9:39

the foundation of governance.
9:39 - 9:43

If I say policy, policy is
the management statement.
9:43 - 9:45

Policy is the management intent.
9:45 - 9:48

Anything they want to
enforce in the organization,
9:48 - 9:49

they create a policy for that.
9:49 - 9:53

Example like every system must
be protected with the password.
9:53 - 9:54

So it's a policy.
9:54 - 9:56

Password must be
eight character.
9:56 - 9:58

Now we introduce as a standard.
9:58 - 10:01

Standard is a tool by which
we enforce the policy.
10:01 - 10:06

And how to create step by
step eight character password.
10:06 - 10:07

That is a written procedure.
10:07 - 10:10

Procedure always in
detail in nature.
10:10 - 10:12

So policy is
strategic in nature,
10:12 - 10:17

standard is tactical in nature,
and procedure is basically
10:17 - 10:18

operational in nature.
10:18 - 10:22

We create a detailed procedure
which is easy for people
10:22 - 10:24

to understand.
10:24 - 10:29

Now next thing is called as a
security awareness and training.
10:29 - 10:31

Now let me explain the
different-- thin line
10:31 - 10:35

difference between the
awareness, training,
10:35 - 10:37

and education.
10:37 - 10:39

Awareness is a short term.
10:39 - 10:42

I was in an impression that,
OK, eight character password
10:42 - 10:43

is a secure password.
10:43 - 10:46

So I was using a 12345678.
10:46 - 10:49

But when I attended any
awareness workshop which
10:49 - 10:53

modify my behavior and now I
get to know eight character
10:53 - 10:55

should not be only numeric.
10:55 - 10:58

OK, so I start using a
alphanumeric and spatial.
10:58 - 11:01

So that's something
modify my behavior.
11:01 - 11:04

The question is that how to
measure the effectiveness
11:04 - 11:05

of the awareness training.
11:05 - 11:07

By reviewing the
number of people
11:07 - 11:09

participated in the
awareness program?
11:09 - 11:10

No.
11:10 - 11:13

As an auditor, I
can able to evaluate
11:13 - 11:17

the effectiveness of
awareness training
11:17 - 11:21

is by seeing the number
of incidents reported.
11:21 - 11:23

Let's take an example.
11:23 - 11:26

Last week, we have conducted
the awareness workshop.
11:26 - 11:31

And at that time, we had
70 incidents was reported.
11:31 - 11:35

And this week, 140
incidents has been reported.
11:35 - 11:38

It means people are now more
aware about the incidents.
11:38 - 11:41

So always remember
the way-- in order
11:41 - 11:43

to measure the effectiveness
of awareness training
11:43 - 11:45

is increase in the
incident reports
11:45 - 11:48

and decrease in a
security violation.
11:48 - 11:50

So awareness modify
the behavior.
11:50 - 11:53

Training modify the skill, and
education modify your career.
11:53 - 11:56

Like doing a CISA
training, serious training.
11:56 - 11:58

See some training is a
part of a training which
11:58 - 11:59

modify your skills.
11:59 - 12:02

But annually you are
attending any college program
12:02 - 12:03

that is called as an education.
12:03 - 12:06

Another important thing
that you must be familiar
12:06 - 12:10

with that, which is called
as a data ownership.
12:10 - 12:12

Data ownership.
12:12 - 12:14

So data ownership is another
important thing we have
12:14 - 12:16

that you must be aware about.
12:16 - 12:18

In data ownership,
like data owner
12:18 - 12:21

is the one who ultimately
accountable for the data.
12:21 - 12:24

So whenever you
classifying any data,
12:24 - 12:26

you basically speak
to the data owner
12:26 - 12:29

only, because data owners are
best positioned to tell you
12:29 - 12:30

the value of the data.
12:30 - 12:34
12:34 - 12:37

The next important
thing is called as a--
12:37 - 12:39

yeah, can we transfer
the data ownership?
12:39 - 12:42

No, you can't transfer
the data ownership.
12:42 - 12:45

So on behalf of data
owner who manage
12:45 - 12:47

the data is the data
custodian because he
12:47 - 12:50

is responsible for storing
and safeguarding the data.
12:50 - 12:53

OK, like system analyst,
computer operator,
12:53 - 12:55

database operator, they are the
ones who are the data custodian.
12:55 - 12:57

Let's take an example.
12:57 - 12:58

I am the business owner.
12:58 - 12:59

I produce one data.
12:59 - 13:01

I bring more data
in the organization.
13:01 - 13:04

Now I have a IM team,
I have a database team
13:04 - 13:07

who manage the data
on behalf of me.
13:07 - 13:08

I will say, hey, Eric.
13:08 - 13:10

Please maintain my data.
13:10 - 13:13

So here the Eric will maintain
the protection of the data,
13:13 - 13:15

but he will follow
all my guidelines
13:15 - 13:17

according to that only
he protect the data.
13:17 - 13:19

I will clearly tell
him, see, this data
13:19 - 13:21

is basically based
on EU customer
13:21 - 13:23

so make sure you should
protect effectively.
13:23 - 13:25

So here I am a data
owner who instruct him
13:25 - 13:27

that this is the EU data.
13:27 - 13:30

If something goes wrong,
he going to question me
13:30 - 13:32

and it is a difficult-- it is
difficult for me to answer.
13:32 - 13:35

So here, the database
administrator,
13:35 - 13:38

based on my guidance,
going to protect the data.
13:38 - 13:42

So data owner one is the
one who value the data,
13:42 - 13:44

and data custodian--
13:44 - 13:47
13:47 - 13:52

data custodian manage the
data on behalf of data owner.
13:52 - 13:56

The third is basically called
as a security administrator.
13:56 - 13:58

Security administrator is
another important position
13:58 - 13:59

we have.
13:59 - 14:02

He is responsible for providing
an adequate physical and logical
14:02 - 14:05

security for the
information system,
14:05 - 14:08

and also providing a security
to the data and equipments.
14:08 - 14:12

So his role is more like a
implementer kind of thing.
14:12 - 14:14

Example, firewall administrator.
14:14 - 14:14

OK.
14:14 - 14:17

VAPT guys, control implementer.
14:17 - 14:20

These are basically called
as security administrators.
14:20 - 14:23

Then we have a new IT
users, the one who basically
14:23 - 14:24

join the organization.
14:24 - 14:28

Make sure they should read and
agree to the security policies,
14:28 - 14:30

keep login ID and
password secret,
14:30 - 14:32

create the quality
password, lock all
14:32 - 14:34

the terminals for the IT users.
14:34 - 14:36

Next is we have a data users.
14:36 - 14:38

Data user example
like the IT users
14:38 - 14:41

who are creating a data it is
accessed by the data user only.
14:41 - 14:43

I have a team who create a data.
14:43 - 14:47

OK, now you are basically
the one who review this data.
14:47 - 14:48

So you are the data user.
14:48 - 14:51

So the responsibility
regarding a security
14:51 - 14:53

and to be vigilant
regarding the monitoring
14:53 - 14:55

of the unauthorized
people in the work areas
14:55 - 14:57

and comply with the
general security guidelines
14:57 - 14:59

and policies.
14:59 - 15:02

So data users include the
external and internal user
15:02 - 15:03

communities.
15:03 - 15:06

Next, we have a
documented authorization.
15:06 - 15:08

So data access should be
identified and authorized
15:08 - 15:09

in a writing.
15:09 - 15:12

So as an IS auditor,
you should review
15:12 - 15:14

a sample of the
authorization to determine
15:14 - 15:16

if the proper level of written
authority was provided.
15:16 - 15:18

Example, I am an auditor.
15:18 - 15:19

I am going for an audit.
15:19 - 15:22

As per the audit, for this
kind of a permissions,
15:22 - 15:24

we need an approval from
the senior management.
15:24 - 15:26

So we will ask for the
sample of an email which
15:26 - 15:28

can confirm that
you are authorized
15:28 - 15:29

to access the document.
15:29 - 15:32

And the similar pattern you
can get in a CISA exam also.
15:32 - 15:34

Like you are an auditor.
15:34 - 15:37

You have discovered that some
access has been attempted
15:37 - 15:39

to access specific files.
15:39 - 15:40

Now how to verify.
15:40 - 15:41

What is the next step?
15:41 - 15:44

The next step is we will
request for those exceptions.
15:44 - 15:45

We request for
the email exchange
15:45 - 15:47

which say that, OK, you're
authorized to access
15:47 - 15:49

that particular documents.
15:49 - 15:53

Next important thing we call
that the terminated employee
15:53 - 15:53

access.
15:53 - 15:56

See, whenever any employee
leave the organization,
15:56 - 15:58

we don't delete his account.
15:58 - 15:59

We disable the account.
15:59 - 16:02

The first step is notify
all the Department
16:02 - 16:04

and the second step
is revoke his access.
16:04 - 16:06

But the question
talking about what
16:06 - 16:10

is the best action that we have
to take against the terminated
16:10 - 16:13

employee, the thing is
that revoke his access.
16:13 - 16:17

Termination is two-type:
voluntary and involuntary.
16:17 - 16:20

Voluntary termination
when employee resign,
16:20 - 16:24

and involuntary termination
when company say ask to leave.
16:24 - 16:27

But during this process,
during a termination process,
16:27 - 16:31

IS auditor need to review that
any terminated employer is
16:31 - 16:34

having access to the
system, and that is also
16:34 - 16:35

one of the biggest concern.
16:35 - 16:38

If terminated employee
already left the organization
16:38 - 16:40

and he still has access
to the organization,
16:40 - 16:41

then it's the biggest concern.
16:41 - 16:43

So from an exam point
of view, remember
16:43 - 16:46

this is one of the
biggest concern we have.
16:46 - 16:50

Whenever we implementing any
kind of a control, security
16:50 - 16:52

baseline we have to follow.
16:52 - 16:53

What is baseline?
16:53 - 16:55

Baseline is a minimum
level of security
16:55 - 16:57

that we need to
follow in the system.
16:57 - 16:59

Let me explain you
with the reference.
16:59 - 17:02

Now I want a baseline
for my organization.
17:02 - 17:03

OK.
17:03 - 17:05

So I want a baseline in--
17:05 - 17:12

So like-- example like--
17:12 - 17:15

I want a baseline
for my system so--
17:15 - 17:17

for my systems.
17:17 - 17:20

Baseline mean minimum security.
17:20 - 17:23

I want a baseline like password.
17:23 - 17:25

I want a baseline antivirus.
17:25 - 17:29

And I want a baseline called
as a security solution.
17:29 - 17:30

OK.
17:30 - 17:33

So this is basically
the baseline one,
17:33 - 17:35

baseline two, baseline three.
17:35 - 17:38

So example, we have a system
1, system 2, and system 3.
17:38 - 17:40

So in a system 1,
password we require.
17:40 - 17:43

That is a minimum thing we
need in the organization
17:43 - 17:44

in the system.
17:44 - 17:46

Now, question is
password is required.
17:46 - 17:47

I agree.
17:47 - 17:49

Now here I can refer a standard.
17:49 - 17:50

OK.
17:50 - 17:52

Can we go for the
eight character?
17:52 - 17:52

Yes.
17:52 - 17:55

And then we decide
the procedure.
17:55 - 17:58

So if you notice, I started
with the baseline of the system,
17:58 - 17:59

like I want a password.
17:59 - 18:02

Is a minimum I need a
password in any system.
18:02 - 18:06

I want antivirus and I want
for the system security.
18:06 - 18:08

Now with the
reference of password,
18:08 - 18:11

I decided I will use eight
character as a minimum password
18:11 - 18:12

in the system.
18:12 - 18:15

And then I will create
a detailed procedure
18:15 - 18:16

how to do that.
18:16 - 18:19

So baseline come with the
standard and procedure
18:19 - 18:22

policy come with the
standard and procedure.
18:22 - 18:25

So you must be familiar
with the security baseline.
18:25 - 18:27

And whenever you
conducting an audit,
18:27 - 18:28

you can adopt the baseline.
18:28 - 18:30

As per that, you
can able to conduct
18:30 - 18:31

the audit in the organization.
18:31 - 18:36

And any kind of a deviation you
identified from what is agreed
18:36 - 18:39

and what is there, you can
document that as a finding.
18:39 - 18:42

So what is the best
practice we follow?
18:42 - 18:46

So standard for security may
be defined at a generic level,
18:46 - 18:51

then for a specific machines,
or for a specific application
18:51 - 18:52

system.
18:52 - 18:56

So let's move to the next part.
18:56 - 19:00

Next section is a very important
section in Domain 5, privacy.
19:00 - 19:02

First of all, let me
explain you the difference
19:02 - 19:09

between the privacy and secrecy.
19:09 - 19:15

Privacy deal with the
individual and secrecy
19:15 - 19:16

deal with the organization.
19:16 - 19:18

That's why in the
organization you
19:18 - 19:20

have seen the top secret,
secret, and all that.
19:20 - 19:22

See, when the law
was introduced,
19:22 - 19:26

law introduced to protect
the interest of the people.
19:26 - 19:29

Now in different,
different business sectors,
19:29 - 19:31

we have different industries.
19:31 - 19:37

Example, in India, we have
a food, we have a insurance,
19:37 - 19:39

we have a bank.
19:39 - 19:42

Now, if you want to start any
kind of a insurance business,
19:42 - 19:44

I need to comply with the IRDA.
19:44 - 19:45

So what is this?
19:45 - 19:46

This is the agency.
19:46 - 19:48

This is the
regulation authority.
19:48 - 19:50

And similar thing,
if I want to start
19:50 - 19:52

any kind of a food
services, I need
19:52 - 19:55

to be comply with the FSSAI.
19:55 - 19:58

So regulation
authorities are basically
19:58 - 20:01

introduced in every country to
control a respective industries
20:01 - 20:04

and to make sure that business
should be comply under the law
20:04 - 20:05

parameter.
20:05 - 20:06

Compliance is nothing.
20:06 - 20:09

It is all about act of abiding.
20:09 - 20:12

So privacy is the
utmost priority
20:12 - 20:15

in every organization
because directly
20:15 - 20:17

map with the individual.
20:17 - 20:21

So privacy significant
aspect for the IS auditor
20:21 - 20:24

also, especially in the light
of the global regulations,
20:24 - 20:26

such as GDPR.
20:26 - 20:29

GDPR basically is a national
privacy regulation of EU,
20:29 - 20:33

but US does not have a
national privacy regulation.
20:33 - 20:34

They have an industry-specific.
20:34 - 20:37

Example, they have a--
for the health sector,
20:37 - 20:38

they have a HIPAA.
20:38 - 20:40

For the finance,
they have a GLBA.
20:40 - 20:42

So this kind of
regulations we have.
20:42 - 20:47

So to understand what is
the level of privacy we need
20:47 - 20:50

in the organization or what is
the level of privacy control
20:50 - 20:54

we need in the systems, we
perform the PIA, privacy impact
20:54 - 20:55

assessment.
20:55 - 20:59

And based on that, we implement
the privacy management system
20:59 - 21:00

in the organization.
21:00 - 21:02

So what is a good practice?
21:02 - 21:04

So if I say my organization--
21:04 - 21:06

OK, if I say my
organization need
21:06 - 21:10

to be comply with GDPR, example.
21:10 - 21:12

So I need to comply
with the GDPR.
21:12 - 21:15

So what I need to do first
is I need to create a policy.
21:15 - 21:18

So by the policy, I can
comply my people, process,
21:18 - 21:21

and technology to
be with the GDPR.
21:21 - 21:21

How?
21:21 - 21:25

See, I cannot go to each and
every individual and process,
21:25 - 21:28

and technology and explain
about the GDPR articles.
21:28 - 21:32

So what we did, we include
the GDPR information.
21:32 - 21:34

So we translate the
GDPR information
21:34 - 21:36

as an intent in the policies.
21:36 - 21:39

And then I enforce the
policy in the organization.
21:39 - 21:42

So where people process
technology need to be comply.
21:42 - 21:45

So by comply with the
privacy, you automatically
21:45 - 21:46

comply with the GDPR.
21:46 - 21:50

So this is how you can able to
bring the privacy best practices
21:50 - 21:52

uniformity in the organization.
21:52 - 21:54

That's why we say
policy is the best
21:54 - 21:57

tool to be compliant with
any regulatory requirement.
21:57 - 21:59

And that is why senior
management intentions
21:59 - 22:01

comes in the policy only.
22:01 - 22:06

So privacy has some good
practices that must be follow,
22:06 - 22:08

like private data should
be collected fairly
22:08 - 22:10

in a open, transparent manner.
22:10 - 22:15

So if I say this organization is
following the effective privacy
22:15 - 22:17

practice or they have a
good privacy practice,
22:17 - 22:20

how to check that is they
collect the data fairly,
22:20 - 22:21

open, transparent manner.
22:21 - 22:23

Example you visit
one website which
22:23 - 22:25

say how are they
going to use the data.
22:25 - 22:29

They are going to explain
about how they are basically
22:29 - 22:30

managing data.
22:30 - 22:32

So that shows their
privacy best practice.
22:32 - 22:36

And private data or privacy
data should be kept securely
22:36 - 22:38

throughout the lifecycle,
from the creation
22:38 - 22:39

phase to the destruction.
22:39 - 22:41

And the third most
important thing
22:41 - 22:43

is that your private
data should be accurate,
22:43 - 22:47

it should be complete, and
it should be up to date.
22:47 - 22:49

OK, so to best meet
this challenge,
22:49 - 22:51

management should
perform the PIA,
22:51 - 22:54

and IS auditor can ask for
the last review report.
22:54 - 22:57

This is how as an auditor
can able to validate
22:57 - 23:02

as the company is compliance
with any privacy practices.
23:02 - 23:07

With the continuation
of the previous series,
23:07 - 23:10

so this is the second
part of the Domain 5.
23:10 - 23:11

And in this section,
we are going
23:11 - 23:16

to discuss about physical access
and environmental control.
23:16 - 23:18

Physical access
environmental control
23:18 - 23:20

is another important topic
we have in our Domain 5,
23:20 - 23:23

and it is a bit difficult
for the people who
23:23 - 23:25

are from a non-IT background.
23:25 - 23:28

So as an IS auditor, you need
to evaluate these controls.
23:28 - 23:31

And in many organizations,
these controls
23:31 - 23:33

are designed and implemented
by the facility management,
23:33 - 23:37

not by the information
security manager IT.
23:37 - 23:39

One example I can give you
about the physical access
23:39 - 23:43

and environmental control is
HVAC system, heat, ventilation,
23:43 - 23:45

air conditioning.
23:45 - 23:48

You have seen the AC
in your facilities.
23:48 - 23:51

It is control from a system.
23:51 - 23:53

We have a AC in the
data center also,
23:53 - 23:56

cooling system in the
data center, which
23:56 - 23:59

is used to maintain the optimum
temperature by which we can
23:59 - 24:02

able to maintain the
performance of the hardware
24:02 - 24:04

because excessive
heating of the hardware
24:04 - 24:05

will impact the performance.
24:05 - 24:08

So what controls we required?
24:08 - 24:10

OK, that we need
to understand here.
24:10 - 24:12

As an auditor, I
will first obtain
24:12 - 24:14

the approved list of controls.
24:14 - 24:17

And then I will assess
the existing control based
24:17 - 24:18

on that particular parameter.
24:18 - 24:20

And any kind of a
gap we identify,
24:20 - 24:23

we will document
that as a finding.
24:23 - 24:26

So in this, when you're talking
about the generic controls,
24:26 - 24:28

we have a three
type of controls.
24:28 - 24:30

One is called as a
managerial control.
24:30 - 24:32

It is also called as an
administrative control.
24:32 - 24:36

Then we have a technical, then
we have a physical control.
24:36 - 24:40

Managerial control is more like
a direction, more like a order.
24:40 - 24:43

Example like
post-COVID, the company
24:43 - 24:49

has announced that you have
to join office from January
24:49 - 24:53

and everyone must come with
their vaccination certificate.
24:53 - 24:55

So this is a kind
of an order, which
24:55 - 24:57

is used to control the
behavior of the people.
24:57 - 24:59

Now people know
that, OK, we need
24:59 - 25:01

to have that COVID
vaccination certificate.
25:01 - 25:03

Then only we can able
to come to the facility.
25:03 - 25:07

So it is like a control
to monitor and improve
25:07 - 25:09

the behavior of the people.
25:09 - 25:11

One more example of an
administrative control
25:11 - 25:14

is without vaccination
certificate,
25:14 - 25:16

no one is entered
into the office.
25:16 - 25:18

No one is supposed to
enter into the office.
25:18 - 25:19

So it's a company announcement.
25:19 - 25:22

So it is more like a
managerial control.
25:22 - 25:24

Second, we have a
technical control.
25:24 - 25:25

The technical
control is something
25:25 - 25:27

which is technical in nature.
25:27 - 25:28

Example, firewall.
25:28 - 25:33

Now it's not something you
pick every packet and inspect.
25:33 - 25:34

No, right?
25:34 - 25:38

So there is a tool involved in
which we have created a rules.
25:38 - 25:40

And based on the rule, the
tool will capture and block
25:40 - 25:41

the packet.
25:41 - 25:43

So there is a technical
control there.
25:43 - 25:46

Function is involved to
block or detect the attacks.
25:46 - 25:48

Then we have a physical control.
25:48 - 25:50

Physical control is
like a physical lock.
25:50 - 25:50

OK.
25:50 - 25:54

Placement of a security guard
which try to block physically.
25:54 - 25:56

So we have a three
type of controls.
25:56 - 25:58

See, when you're
talking about controls,
25:58 - 26:00

control may be
proactive, which means
26:00 - 26:03

they can attempt to
prevent an incident,
26:03 - 26:05

and it can be
reactive, which allow
26:05 - 26:09

the detection, containment,
and recovery from an incident.
26:09 - 26:15

So proactive control are called
as a safeguard and reactive
26:15 - 26:18

control are called
as a countermeasures.
26:18 - 26:21
26:21 - 26:22

Sorry.
26:22 - 26:31
26:31 - 26:31

OK.
26:31 - 26:35

So that is basically
called as a countermeasure.
26:35 - 26:38

So we have two type of controls.
26:38 - 26:40

Example like before going--
26:40 - 26:43

protect from COVID and all
that we have vaccinations.
26:43 - 26:46

So that is basically called
as a proactive control.
26:46 - 26:49

But if vaccination
become ineffective,
26:49 - 26:52

you got impacted with the
COVID, the reactive control
26:52 - 26:54

is isolate yourself
from the family
26:54 - 26:57

and then you can go for the
14 days period of containment.
26:57 - 27:01

So this is how we have a
proactive and reactive.
27:01 - 27:04

So next point is called
as a control monitoring
27:04 - 27:04

and effectiveness.
27:04 - 27:07

Just implementing
a control will not
27:07 - 27:08

achieve the defined objectives.
27:08 - 27:11

We need to also need to
check whether control
27:11 - 27:12

is working effectively.
27:12 - 27:15

It is same like we just
hire the security guard
27:15 - 27:18

and now we trust that guard
that he going to block everyone.
27:18 - 27:18

No.
27:18 - 27:22

We also see how effectively he
responding to all the threats
27:22 - 27:23

and everything.
27:23 - 27:25

Same like when we
configure the firewall
27:25 - 27:27

and simply creating a
rules in the firewall
27:27 - 27:28

it doesn't meet my objectives.
27:28 - 27:31

On a regular basis, we
need to test the firewalls
27:31 - 27:33

by sending a malformed
packets and see whether it
27:33 - 27:35

can able to detect and block.
27:35 - 27:38

So as a controller design
implemented and operated,
27:38 - 27:42

IS auditor should ensure the
logs are enabled because that
27:42 - 27:46

is how you can able to track the
effectiveness of the controls.
27:46 - 27:48

And we also need to
ensure as an auditor
27:48 - 27:51

we need to ensure they are
testing on a regular basis.
27:51 - 27:52

OK.
27:52 - 27:54

And the procedure should
be developed by which they
27:54 - 27:55

can able to test effectively.
27:55 - 27:57

And as an IS auditor
should also ensure
27:57 - 28:00

they should have a capability
to monitor the controls
28:00 - 28:03

and support the monitoring
system in the control design.
28:03 - 28:07
28:07 - 28:10

Next thing is called as a
environmental exposures.
28:10 - 28:13

See, environmental
exposures are due primarily
28:13 - 28:16

to the naturally occurring
events, such as lightning,
28:16 - 28:21

storms, earthquake, volcanic
eruptions, hurricanes,
28:21 - 28:23

and extreme weather conditions.
28:23 - 28:27

So one particular
area of concern,
28:27 - 28:29

which is coming from an
environmental exposure,
28:29 - 28:32

is called as a
damage of equipments.
28:32 - 28:34

Right now I'm doing
this training.
28:34 - 28:36

Suddenly there is a power
issue and it directly
28:36 - 28:37

impacts my hardware.
28:37 - 28:41

And because of that, my system
get shut down or it get restart,
28:41 - 28:42

or it can damage.
28:42 - 28:46

So as an auditor, the
biggest concern for us
28:46 - 28:48

is the damaging
of an equipments,
28:48 - 28:50

because if the
equipment is damaged,
28:50 - 28:52

then it directly impact
the availability.
28:52 - 28:55

We have a different kind
of a threats associated
28:55 - 28:58

with the hardware equipment,
like total failure,
28:58 - 29:01

voltage reduce, spike, surge.
29:01 - 29:03

So that's why we purchase
one system, which
29:03 - 29:06

is called as a PCS, power
conditioning system.
29:06 - 29:08

In your home, we
called as a stabilizer,
29:08 - 29:10

which is used to stable
the power supply.
29:10 - 29:13

Along with that, we must
require the UPS and generator
29:13 - 29:16

to prevent all the
uninterrupted interruptions.
29:16 - 29:19

So these kind of controls
you can basically
29:19 - 29:23

introduce to prevent this
environmental exposures.
29:23 - 29:27

The next important thing is
called as a physical access
29:27 - 29:30

exposures and control from
the auditing perspective.
29:30 - 29:33

We also buy a alarm
control panels--
29:33 - 29:36

so we also buy alarm
control panels,
29:36 - 29:39

which is separated from
a burglars or security
29:39 - 29:41

system, which is
located on the premises.
29:41 - 29:44

We also go for the
smoke detectors.
29:44 - 29:46

We have a smoke detector.
29:46 - 29:51
29:51 - 29:54

It gives the early
warning of the smoke.
29:54 - 29:56

So this is the smoke
detector we have.
29:56 - 30:00

If there is a smoke in the
room, it get alert and notify
30:00 - 30:02

the concerned person.
30:02 - 30:03

OK.
30:03 - 30:07

So detector should produce the
audible alarm when activated.
30:07 - 30:09

It should be linked to the
monitoring system, but make sure
30:09 - 30:12

this monitoring should
be separate from the fire
30:12 - 30:12

department.
30:12 - 30:15

We also need a
visual verification
30:15 - 30:17

of the presence of water
and smoke detectors
30:17 - 30:19

in the computer rooms.
30:19 - 30:21

I'm sure you have seen the
buckets in a red color.
30:21 - 30:26

We also need a hand
pull fire alarms that
30:26 - 30:29

should be placed strategically
throughout the facilities,
30:29 - 30:31

and it should be
placed in such a manner
30:31 - 30:32

that it should give
the visibility.
30:32 - 30:34

That's an important thing.
30:34 - 30:37

And that also, that
fire extinguisher
30:37 - 30:41

should be tagged for inspection
and inspected at least annually.
30:41 - 30:46

So as an auditor, if you want
to audit extinguishers and all
30:46 - 30:48

that can check the
last review period.
30:48 - 30:50

If it's basically exceed
by more than one year,
30:50 - 30:53

then you can raise that as
a finding in your report.
30:53 - 30:58

But before that, confirm why it
got late, why there is a delay.
30:58 - 31:02

But one more important thing
as a auditor, testing fire
31:02 - 31:04

suppression system
is also expensive.
31:04 - 31:06

The fire suppression system,
it's always expensive to test.
31:06 - 31:09

And therefore, as
an IS auditor, they
31:09 - 31:11

need to limit their
test to review
31:11 - 31:13

the documentations
to ensure system
31:13 - 31:17

has been inspected and
tested within the last year.
31:17 - 31:19

We also have a different
kind of controls,
31:19 - 31:24

like we need a biometric,
something you are--
31:24 - 31:26

OK, we can place
because that provide
31:26 - 31:29

the appropriate type of
accountability in the data
31:29 - 31:30

center.
31:30 - 31:32

Because in data center, if you
just access the data center
31:32 - 31:34

based on your ID
card and all that,
31:34 - 31:36

tomorrow you can
deny it was not you
31:36 - 31:38

who accessed the data center.
31:38 - 31:40

You can tell him that,
OK, I misplaced my card
31:40 - 31:43

and everything, so might
be in my absence someone
31:43 - 31:45

has used the card and
accessed the data center.
31:45 - 31:49

So data center need to prefer
the strongest accountability,
31:49 - 31:54

and that is why we need a
biometric in the data center.
31:54 - 31:56

But when you're talking
about the biometric,
31:56 - 31:59

the biometric is vulnerable
for the two errors.
31:59 - 32:04

One is called as a FAR and
one is called as a FRR.
32:04 - 32:08

False acceptance
rate, where false user
32:08 - 32:09

accepted by the machine.
32:09 - 32:10

Example, I am not
authorized user,
32:10 - 32:13

but machine has accepted
me as an authorized.
32:13 - 32:16

It has happened sometime when
I try to mimic someone voice.
32:16 - 32:19

They assume it is actually
authorized user and give me
32:19 - 32:19

access.
32:19 - 32:22

That is called as a
false acceptance rate.
32:22 - 32:24

It is a biggest
concern for an auditor.
32:24 - 32:28

And false rejection rate where
the authorized user falsely
32:28 - 32:29

rejected by the machine.
32:29 - 32:34

Example, like-- example, like
I came back from the office
32:34 - 32:36

and I was wearing
gloves and all that.
32:36 - 32:38

My hands are completely
dry and all that.
32:38 - 32:43

So when I'm trying to place my
fingers or thumb on the scanner,
32:43 - 32:44

it has failed to recognize.
32:44 - 32:46

So this is basically
because of FRR.
32:46 - 32:50

So the point where FAR and
FRR basically intersect,
32:50 - 32:52

that is the best optimum point.
32:52 - 32:57

So that is the most important
thing we need to consider.
32:57 - 33:00

Another important point
that we need to understand
33:00 - 33:01

is security guards.
33:01 - 33:06

Security guards are very useful
if supplemental by the video
33:06 - 33:08

cameras and lock doors.
33:08 - 33:11

So guards should be supplied
by an external agency that
33:11 - 33:13

should be bonded to
protect the organization
33:13 - 33:15

from all kind of losses.
33:15 - 33:17

We don't hire the
in-house security guards
33:17 - 33:20

because this is how
frauds are possible.
33:20 - 33:23

So we outsource a third-party
agencies which hire them,
33:23 - 33:26

and this is how we separate
the job activities.
33:26 - 33:30

So let's move to the next part.
33:30 - 33:33

The next section is called
as the identity and access
33:33 - 33:34

management.
33:34 - 33:38

See, we have IAAA,
identification, authentication,
33:38 - 33:39

and authorization.
33:39 - 33:48

Identification, authentication,
and authorization.
33:48 - 33:50

Suppose I went to airport.
33:50 - 33:53
33:53 - 33:56

I went to airport and I
say, hey, my name is Prabh,
33:56 - 33:59

and I'm traveling from
Trivandrum to Delhi.
33:59 - 34:01

So they will check
my name in the list.
34:01 - 34:04

Yes, they confirm
my name in the list.
34:04 - 34:06

But they also need
to confirm, is it
34:06 - 34:07

a same Prabh who claimed to be?
34:07 - 34:09

I will show my Aadhaar card.
34:09 - 34:13

I will show my PAN
card that basically
34:13 - 34:14

prove, yes, I am Prabh.
34:14 - 34:16

So that is called as
an authentication,
34:16 - 34:17

the person who claimed to be.
34:17 - 34:20

And based on that,
they give me the access
34:20 - 34:23

to a specific seat, that is
called as an authorization.
34:23 - 34:29

Under the authorization, we
also use the access control.
34:29 - 34:31

So we have a different
type of access control.
34:31 - 34:34

But in CISA, they talk about
two type of access control.
34:34 - 34:37

One is called as a mandatory
and one is called DAC.
34:37 - 34:38

What is DAC?
34:38 - 34:42

DAC stands for
discretionary, which is also
34:42 - 34:43

called as a distribution.
34:43 - 34:47
34:47 - 34:49

Before marriage,
my life, my rule.
34:49 - 34:53

Same like that, which is called
as a distributed access control.
34:53 - 34:55

What is the meaning
of that is, suppose
34:55 - 34:58

this is the system we
have, system A. OK.
34:58 - 35:04

So we have a user 1, we have a
user 2, and we have a user 3.
35:04 - 35:08

User 1 login into the system
and he create a folder,
35:08 - 35:10

but he deny user 2 and user 3.
35:10 - 35:14

User 2 login into the folder,
user login to the system,
35:14 - 35:16

and he create a folder.
35:16 - 35:18

He deny user 1 and user 3.
35:18 - 35:20

User 3 login into the
system, he create a folder,
35:20 - 35:23

and he deny other two.
35:23 - 35:25

So same your
workgroup environment.
35:25 - 35:28

When you login into your laptop
or desktop, you create a folder.
35:28 - 35:31

You deny your family member.
35:31 - 35:34

One of your family member has
access to that particular system
35:34 - 35:36

and they create the
folder, they deny other.
35:36 - 35:38

So this is called as a
discretionary, distributed
35:38 - 35:41

access control, where
the multiple parties are
35:41 - 35:43

involved in giving an
authorizing access.
35:43 - 35:45

But when we're talking
about the mandatory,
35:45 - 35:49

it is a default system access
used in a military and all that.
35:49 - 35:51

And the best example
is in your windows,
35:51 - 35:54

if you really want
to modify the CMD
35:54 - 35:56

or you want to access
any application,
35:56 - 35:58

you need to run as
an administrator.
35:58 - 35:59

That is a mandatory thing.
35:59 - 36:00

So it's an access
control, which is
36:00 - 36:03

default embedded in the system.
36:03 - 36:05

And that is called as
a centralized access
36:05 - 36:08

control, which is also
called as an NDAC.
36:08 - 36:10

So MAC is a system-based access.
36:10 - 36:12

They have a predefined logics.
36:12 - 36:15

In CMD, if you want to
perform some admin command,
36:15 - 36:16

you need to run as a CMD.
36:16 - 36:18

In the Linux, if
you want to perform
36:18 - 36:22

any kind of a admin activity,
you need to run sudo command.
36:22 - 36:25

It is a mandatory
access control.
36:25 - 36:28

So when you're talking
about authentication,
36:28 - 36:32

authentication basically
has a three factors.
36:32 - 36:34

Something you know, which
is your password, which
36:34 - 36:37

is easy to compromise;
something you have,
36:37 - 36:40

which is called as a ownership,
and something you are,
36:40 - 36:42

which is a biometric, and
somewhere you are nowadays.
36:42 - 36:46

So token device and one-time
password is something you have,
36:46 - 36:48

which is called as a ownership.
36:48 - 36:49

Next is called as
a single sign-on.
36:49 - 36:51

Single sign-on means
you log in once
36:51 - 36:53

and access the
multiple resources.
36:53 - 36:55

An example, imagine like--
36:55 - 36:58
36:58 - 37:00

when you're talking about a
single sign-on, one example
37:00 - 37:02

we have about Gmail.
37:02 - 37:05

So you open the gmail.com,
you log in to the Gmail,
37:05 - 37:10

and from there, you open
doc, D-O-C, dot google.com.
37:10 - 37:12

It doesn't ask for the password.
37:12 - 37:13

Then you type YouTube.
37:13 - 37:14

It doesn't ask for the password.
37:14 - 37:15

Then you type any document.
37:15 - 37:17

It doesn't ask for the password.
37:17 - 37:18

When you open Drive, it
doesn't ask for the password.
37:18 - 37:21

So that is the best
example of single sign-on.
37:21 - 37:22

You need to authenticate once.
37:22 - 37:25

And based on that, you can able
to access any number of services
37:25 - 37:26

of a Gmail.
37:26 - 37:29

But single sign-on is a concept
we use within a one domain.
37:29 - 37:31

But federation, I'm
sorry for the spelling.
37:31 - 37:32

In hurry.
37:32 - 37:33

I'm sorry.
37:33 - 37:34

I can correct that.
37:34 - 37:37

So federation is basically where
you authenticate with one domain
37:37 - 37:39

and access the other domain.
37:39 - 37:41

So federation we use
between the two companies,
37:41 - 37:43

between the two domain.
37:43 - 37:58

Example like we have a
booking.com and we have a Gmail.
37:58 - 38:02

I'm sure you have noticed
user went to booking.com.
38:02 - 38:05

Now booking.com
giving him option,
38:05 - 38:07

log in with your
Google ID or sign up.
38:07 - 38:11

Definitely to save time, I will
select login with the Gmail ID.
38:11 - 38:14

So booking.com redirect
user to the Gmail.
38:14 - 38:16

To the Gmail, I will
basically provide my username
38:16 - 38:19

and password, and against that
Gmail provide the authorization
38:19 - 38:22

ticket, and that authentication
ticket or authorization ticket
38:22 - 38:24

I will provide to Booking,
which confirm, yes, you are
38:24 - 38:26

the authorized user of Gmail.
38:26 - 38:28

And based on that booking.com,
provide the resource.
38:28 - 38:31

So in this case, Gmail
is the identity provider
38:31 - 38:34

who verify your identity
and booking.com is
38:34 - 38:36

a service provider who
provide you services.
38:36 - 38:43

So federation is basically used
across the multiple systems.
38:43 - 38:46

Biometric establish
the strongest form
38:46 - 38:48

of accountability,
which cannot be spoofed.
38:48 - 38:50

So we have a two scanners.
38:50 - 38:51

One is called retina.
38:51 - 38:53
38:53 - 38:57

And we have a second
is called as a iris.
38:57 - 39:04

Iris is-- so when you're
talking about retina,
39:04 - 39:07

retina scan the blood
vessel of your eyes.
39:07 - 39:12

OK, very accurate, but difficult
to implement because it has
39:12 - 39:15

acceptance issues,
whereas the iris
39:15 - 39:17

is accurate with acceptance.
39:17 - 39:18

If you ask me which
was more accurate,
39:18 - 39:20

retina is more accurate
because difficult
39:20 - 39:22

to spoof someone's
blood vessels.
39:22 - 39:26

But iris is a second
best accept and accurate.
39:26 - 39:29

When we are going for
the biometric solutions,
39:29 - 39:32

as an auditor, we also need
to check the privacy policy
39:32 - 39:35

because implementing a biometric
system in the organization
39:35 - 39:37

requires the user acceptance.
39:37 - 39:40

OK, so acceptance
for the solution
39:40 - 39:41

is very less in
the organization.
39:41 - 39:43

So we need to review the
data privacy policies
39:43 - 39:46

and see how they're going
to use the biometric data.
39:46 - 39:50

So let me explain you how the
biometric enrollment works.
39:50 - 39:52

So whenever you
register for biometric,
39:52 - 39:54

suppose this is the
scanner we have.
39:54 - 39:56

Suppose this is the
scanner we have.
39:56 - 39:59
39:59 - 40:04

So you place your fingers or you
place your thumb on the scanner.
40:04 - 40:10

Scanner will capture the image
and stored in a form of minutes.
40:10 - 40:12

Minutes we call it--
40:12 - 40:14

minutes or metrics we call.
40:14 - 40:18

Or you can say in
a form of template.
40:18 - 40:20

It store in a form of template.
40:20 - 40:22

So next time when
you place finger,
40:22 - 40:26

it basically scan and
generate that template
40:26 - 40:29

and compare against
the stored template.
40:29 - 40:30

If it match, it give access.
40:30 - 40:33

So this is-- they do like a
one-to-many or many-to-many
40:33 - 40:34

identification.
40:34 - 40:37

Next important
thing audit login.
40:37 - 40:39

It's very important
to log everything
40:39 - 40:42

by which we can able to
track the accountability.
40:42 - 40:44

So audit logging is
another important practice
40:44 - 40:46

we need to follow.
40:46 - 40:50

The next solution we have a
DLP, data leak prevention.
40:50 - 40:54

Ultimate objective of DLP
is to ensure data should not
40:54 - 40:56

live in an unauthorized manner.
40:56 - 41:00

You have seen a lot of employees
use their confidential data
41:00 - 41:03

and they try to send on
their public portals.
41:03 - 41:06

So we need to prevent
this data exfiltration.
41:06 - 41:08

Data exfiltration
definition means
41:08 - 41:13

data should not leave the
organization environment.
41:13 - 41:16

So we have a DLP here,
we have DLP here.
41:16 - 41:18

So example I connect
the pen drive
41:18 - 41:19

and trying to copy the data.
41:19 - 41:21

That is also data leaving
in an unauthorized manner,
41:21 - 41:24

but DLP there will try to block.
41:24 - 41:26

You opening a Gmail and try
to upload data on a Gmail.
41:26 - 41:29

So there is an endpoint
DLP or network-based DLP
41:29 - 41:30

will try to block the content.
41:30 - 41:35

So ultimate goal of a DLP is to
prevent the data exfiltration.
41:35 - 41:38

It is not a solution
introduced to monitor what is
41:38 - 41:39

coming from outside to inside.
41:39 - 41:40

No.
41:40 - 41:43

It is a solution which monitor
what is leaving the organization
41:43 - 41:44

data.
41:44 - 41:46

What is leaving the
organization control.
41:46 - 41:48

Because internal threat
is a difficult threat.
41:48 - 41:50

It's a concern for
the organization
41:50 - 41:55

and it is the biggest
threat for the organization.
41:55 - 42:01

The next thing we have network
and endpoint security, most
42:01 - 42:03

important section of Domain 5.
42:03 - 42:06

Now we have a different
type of circuits.
42:06 - 42:07

What is circuit?
42:07 - 42:10

Circuit is a link by which
we transfer the data.
42:10 - 42:13

So when you're talking about
circuit, the first circuit
42:13 - 42:14

they are talking about
dedicated circuit.
42:14 - 42:23

So we have a user A and we have
a user B. Same like the circuit
42:23 - 42:27

is a link which is basically
up between the two party.
42:27 - 42:30

And you send the data
through this link.
42:30 - 42:34

Another example is
you call your friend.
42:34 - 42:35

So what you have to do?
42:35 - 42:36

You need to dial his number.
42:36 - 42:40

And once you dial his number,
the link will be established.
42:40 - 42:41

And then you communicate.
42:41 - 42:44

And once it is done,
you basically discard.
42:44 - 42:45

But that is a circuit.
42:45 - 42:47

But that is not a dedicated.
42:47 - 42:49

It is a temporary circuit.
42:49 - 42:51

But dedicated circuit
is link is always up.
42:51 - 42:53

Whenever you dial,
it will be available.
42:53 - 42:55

Second is called as
a switch circuit.
42:55 - 42:58

Switch circuit I gave you the
example of the switch circuit
42:58 - 43:01

is you dial the person
number, you temporarily
43:01 - 43:03

establish the connection,
you are done, and you finish.
43:03 - 43:06

You are done with that and
you can discard the things.
43:06 - 43:08

So that is the difference
between the dedicated and switch
43:08 - 43:09

circuit.
43:09 - 43:11

We also have a packet
switching technology.
43:11 - 43:15

Packet switching technology
today is used in a 4G.
43:15 - 43:17

I am sure you have
seen the Jio, Airtel,
43:17 - 43:20

and all that offer the packet
switching technology only.
43:20 - 43:21

That is why if you
do the WhatsApp call,
43:21 - 43:24

it has a better quality
than the voice call
43:24 - 43:27

because packet switching
was primarily introduced
43:27 - 43:28

for the data transfer.
43:28 - 43:29

Let's take an example.
43:29 - 43:32

We have a system
A, we have a system
43:32 - 43:36

B. So this is my internet.
43:36 - 43:38

We have a routers here.
43:38 - 43:43

So what packet switching
does, we have a data here,
43:43 - 43:45

data divided into packets.
43:45 - 43:46

So some packets goes
through this route
43:46 - 43:49

and some packet goes
through this route.
43:49 - 43:52

And by end of the day, it
get delivered to the B.
43:52 - 43:56

It doesn't give assurance in
what state it basically receive,
43:56 - 43:57

but they just send the data.
43:57 - 43:59

That is where the packet
switching is primarily
43:59 - 44:03

designed for the data transfer,
not for the voice transfer.
44:03 - 44:05

That's why if you're
in your 4G phone,
44:05 - 44:08

you can see the V-O-L-T-E. OK.
44:08 - 44:10

And your landline, it's
not having a dial up tones.
44:10 - 44:12

It has some other tones.
44:12 - 44:15

So today your all
calls is basically
44:15 - 44:19

done through VoIP by using
a packet switching only.
44:19 - 44:22

You also need to understand
the different type of networks,
44:22 - 44:24

like LAN, which is basically
a group of computers
44:24 - 44:28

within the organization, a group
of system over the internet that
44:28 - 44:33

is called as a WAN, and access
the storage is called as a SAN.
44:33 - 44:37

DNS is a service which translate
name to IP and IP to name.
44:37 - 44:40

Let's take an example
of the smartphone.
44:40 - 44:43

It is difficult for you to
remember your friend's number.
44:43 - 44:45

So what you did, you saved the
friend's number with the name
44:45 - 44:49

because human mind remember
alphabets over the numbers.
44:49 - 44:52

So if I want to call
my friend Pankaj.
44:52 - 44:54

So I will type Pankaj Delhi.
44:54 - 44:57

So it will see by name and
it map with the number.
44:57 - 44:59

So automatically
dial the number.
44:59 - 45:02

Same like you open a
browser type google.com.
45:02 - 45:04

They send the request to
a specific server which
45:04 - 45:06

translate the name
to IP, and then it
45:06 - 45:09

will redirect you to the
particular web server,
45:09 - 45:10

like this way.
45:10 - 45:14

So we client and we
have a DNS server here.
45:14 - 45:16

And this is my web server.
45:16 - 45:19

So client has
requested google.com.
45:19 - 45:20

That request goes to DNS.
45:20 - 45:21

DNS said, no, boss.
45:21 - 45:23

Google.com on 1.1.1.1.
45:23 - 45:26

And this is how it
redirect to 1.1.1.
45:26 - 45:28

And then web server
provide the content.
45:28 - 45:32

So DNS is a service which
translate name to IP and IP
45:32 - 45:32

to name.
45:32 - 45:34

The next thing is
called as a DHCP.
45:34 - 45:37

DHCP is a service
which basically
45:37 - 45:40

provide the automated IP
address to all the systems.
45:40 - 45:43

It is difficult to manage
the IPs in every system.
45:43 - 45:45

So what I need, I want
a one centralized server
45:45 - 45:49

from where I need to assign the
IP address to all the clients.
45:49 - 45:52

The next important topic
is called as a topology.
45:52 - 45:55

Topology is provide the
layout of the network.
45:55 - 45:58

And then we have a media type.
45:58 - 46:00

So we have a twisted
pair and fiber optic.
46:00 - 46:02

Twisted pair are
twisted together
46:02 - 46:04

by which it reduces
the attenuation.
46:04 - 46:05

What is attenuation?
46:05 - 46:06

Is loss of signal.
46:06 - 46:11

Fiber optic is basically
providing a very effective
46:11 - 46:15

speed, and it is having a low
latency and better than twisted
46:15 - 46:18

pair to send the sensitive data.
46:18 - 46:22

So this is the first part
of this particular series.
46:22 - 46:25

I'm planning to make
another series next week
46:25 - 46:27

and we'll see what can be done.
46:27 - 46:30

This is just a first
part of the Domain 5.
46:30 - 46:33

If you find this video useful,
do share your feedback and do
46:33 - 46:35

let me know what are
the other videos should
46:35 - 46:36

I make on the CISA?
46:36 - 46:38

Thank you.

Title:: CISA Domain 5 Exam Cram Part 1 2021
Description:: more » « less
Video Language:: English
Duration:: 46:38

OE Tech edited English subtitles for CISA Domain 5 Exam Cram Part 1 2021

English subtitles

Revisions

Revision 1 Uploaded

OE Tech

CISA Domain 5 Exam Cram Part 1 2021

Revisions

Our website uses cookies

Operating cookies (Required)