CISSP Cyber Training Podcast - CISSP Training Program
CCT 140: Business Impact Analysis and the CISSP Exam (D1.8.1)
Unlock the mysteries of cybersecurity and business continuity with me, Sean Gerber, as we navigate the treacherous waters of cyber threats, including the dark reality of ransomware's impact on our critical infrastructure. Tune in for an intricate look at the geopolitical cyber chessboard, where nations could be gearing up for digital warfare. We'll assess the fine line between cyber vandalism and an act of war, and explore how to arm yourself with knowledge and strategies to protect your organization's sensitive data and systems.
Step into the world of risk assessment as we unravel both the quantitative and qualitative methods crucial for business continuity planning. You'll gain insights into the art of calculating potential financial loss and discover the inherent challenges of valuing intangible assets, such as customer trust and brand integrity. I'll walk you through the complexities of these assessments, offering foundational knowledge that transforms theory into practical wisdom for effective leadership and decision-making in times of crisis.
Prepare to become a bulwark against cyber threats as we discuss the nuts and bolts of aligning business continuity plans with organizational goals, and the significance of constant adaptation. I'll break down disaster recovery jargon, rendering MTD, RTO, and RPO no longer cryptic, but clear markers to guide your recovery strategies. Join us for this vital conversation, and learn how we're supporting a noble cause through the CISSP Cyber Training initiative, empowering future cybersecurity defenders. Your questions and engagement are not only welcomed but essential, as we collectively strengthen our cyber resilience.
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
Unlock the mysteries of cybersecurity and business continuity with me, Sean Gerber, as we navigate the treacherous waters of cyber threats, including the dark reality of ransomware's impact on our critical infrastructure. Tune in for an intricate look at the geopolitical cyber chessboard, where nations could be gearing up for digital warfare. We'll assess the fine line between cyber vandalism and an act of war, and explore how to arm yourself with knowledge and strategies to protect your organization's sensitive data and systems.
Step into the world of risk assessment as we unravel both the quantitative and qualitative methods crucial for business continuity planning. You'll gain insights into the art of calculating potential financial loss and discover the inherent challenges of valuing intangible assets, such as customer trust and brand integrity. I'll walk you through the complexities of these assessments, offering foundational knowledge that transforms theory into practical wisdom for effective leadership and decision-making in times of crisis.
Prepare to become a bulwark against cyber threats as we discuss the nuts and bolts of aligning business continuity plans with organizational goals, and the significance of constant adaptation. I'll break down disaster recovery jargon, rendering MTD, RTO, and RPO no longer cryptic, but clear markers to guide your recovery strategies. Join us for this vital conversation, and learn how we're supporting a noble cause through the CISSP Cyber Training initiative, empowering future cybersecurity defenders. Your questions and engagement are not only welcomed but essential, as we collectively strengthen our cyber resilience.
Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go.
Speaker 2:Cybersecurity knowledge All right, let's get started. Hey y'all Sean Gerber with CISSP Cyber Training, and hope you all are having a wonderfully blessed day today. I hope your studying plans are going according to what you had already scoped out for your CISSP. If you are following the CISSP blueprint, you should be getting updates on how your training is going and I hope that it's going well for you because you know you got to get this done. You just do if you're in the middle of studying for this CISSP, you just got to get it done. It's hard. I know it's very challenging. Well, just wanted to let you know that things are going great here in Wichita, kansas. It's actually coming into the spring and it is awesome we are. My wife is keeping me extremely busy as it relates to our other businesses and, yeah, it's fun. Actually, I wake up and I can't move, so it's I guess that's good sort of. At least I know I'm alive. But as it comes to the CISSP and studying for your cyber training stuff, one of the things that I saw that in the news that was interesting and it actually isn't. It's interesting but it's not. One of the big highlights we're talking about here at CISSP Cyber Training is the overall protection of the critical infrastructure and how important that is and why you, as studying for your CISSP, really need to get this done. Just because it's imperative that you have the ability to protect assets from other companies that are around the globe, and especially here in the United States, because that's kind of where my heart is.
Speaker 2:But one thing I noticed is just this week we had a two ransomware incidents hit my local community where one took out the local city and I mean we're not. We're talking about 700,000 people that are and it's not for my friends in China and around the globe. That's not a huge amount of people. I shouldn't say it's not for my friends in China and around the globe. That's not a huge amount of people. I shouldn't say that it's about 500,000. It's about 700,000 in the overall area. But it crippled their critical infrastructure to include fire, police, water, all those kind of things. So that is not a good situation and I know having people that have a background in security is so imperative. It just really is because you guys have to be able to. You're the front lines. You got to get your expertise and knowledge out there to help protect a lot of these companies Also had a local hospital and there's like five or six locations got hit with an attack as well. So it is only increasing and your demand is going to nothing but skyrocket.
Speaker 2:So one thing I wanted to bring up an article that I saw, and this isn't a shocker. Obviously I'm sure I may have somebody listening from Iran, but it's highly unlikely that there'll be someone listening to the podcast from there. But even if you are, you need to use your skills for good, not evil. But recently one of the big concerns is that the Iranians will be launching attacks against the United States before other foreign countries would do so, just because it's easier for them, and I think it's actually smart tactics as it relates to a foreign entity that's smaller than the United States. If you can find a weakness, you should leverage it and you should manipulate and use it to your advantage, and this is one thing that the article from the Register is talking about that Iran would be most likely the one to launch a destructive attack against the United States, and it makes total sense.
Speaker 2:The interesting part will be, with our congressmen and our legislators, is to figure out what point does a destructive attack constitute an act of war? They've mentioned this stuff in the past, and when we deal with, you know, physical type of activities, where something is dropping a bomb on somebody else or blowing something else up, that becomes a real quick, easy litmus test to go well, yes, now we are going to engage in warfare, and hence that happened with the 9-11 bombings. It happens with Pearl Harbor. If you see something like that that occurs, you then can say well, we can now connect the dots and we can launch a physical attack against a country or an organization. The interesting part, though, is you deal with the cyber attack that are happening all the time. What constitutes an act of war, and I don't think they really truly know. I think if you start, people start dying. That would definitely cause some level of increased interest in going to war, but it's hard to say so. One of the things I just talked about in this article was that they they feel that a attack will most likely come from iran before it comes from somewhere else, and and I know you're probably to you, captain Obvious folks out there going. Well, yeah, that makes sense. It's just something to consider as our senior leaders within our respective countries depending on where you're living from deal with these types of asymmetrical warfare, where it's not basically people fighting other people directly, it's from an asymmetric platform, such as the cyber attacks. So keep that in mind as you guys are looking and studying for your CISSP. Use this knowledge that you have in a way to help really grow the community and help other people.
Speaker 2:Okay, so today we're going to be getting into 1.4 of the CISSP exam and we're going to be covering a few different areas as that help you study for the test. So one aspect that we run into is you're going to be dealing with business continuity planning and we're only going to talk about a small part of business continuity planning, but a main piece of this is going to be around qualitative and quantitative impact assessments. The main focus of this is going to be doing a BIA, which is your business impact analysis. So I'm not going to get into the full business continuity planning, just one aspect around the BIA. And as you get into your CISSP book, you'll see that the BIA is a part. It's about a chapter not really a chapter, it's more of a few sections, but it's an important factor as you're related to getting your CISSP and to working for a company, because doing a business impact assessment is an important factor to you, especially with your business leaders, to help them and help you understand the overall risk to your organization.
Speaker 2:We're going to get into a few acronyms such as MTD, rto, rpo, ale, sle and ARO. So yes, I just threw out acronym soup for you all, and so you'll be ready for that once you're listening. I get a lot of people calling in and let me know or should I say emailing me in that they're listening to on their drive in. So if you're listening to acronyms, try to keep it straight. We'll go back over it again. But yeah, it can be overwhelming.
Speaker 2:Rule to get into risk identification, the BIA in the cloud, and then SLA's commitments and other operations you may have to deal with, and then, finally, how it may fall into what we call a SOC report. Okay, so the first thing we're going to get into is what we call a quantitative and qualitative impact assessment. So when you're dealing with a quantitative impact assessment, the key thing to focus on is a number right. So we're dealing with quantities quantitative. The key thing to focus on is a number right. So we're dealing with quantities quantitative, and so this involves numerical values that could be a potential impact to a business disruption, I will say that it's probably one of the. It can be one of the more easy things to do and I say that loosely because getting people to tell you the numbers can be very challenging, but if you have numbers, they do tend to stand out with your senior leaders to understand what the actual challenge is.
Speaker 2:So, like an example, if you can say that a facility, a manufacturing facility I'll use my background, for example and that manufacturing facility, if it was to go down, physically shut down, maybe it's still running but it cannot produce any more product, that will cost you X a day. So if you know that if a facility goes down for a period of time, it's going to be X dollars per day, this ransomware attack I use with the hospitals. So they have a number that they know that when a hospital goes down, it costs them X amount per day. Now this could be including in the actual revenue brought in. It could be opportunity cost from your employees that aren't working anymore. There could be a lot of different factors that cause that number to be what it is.
Speaker 2:But and when it's all said and done, there is a number for each of these facilities or each of these areas, if they go down, and this is how they come up with a specific number that they hang their hat on. So we'll use the Clorox company breach that occurred, or ransomware attack that occurred a while back, and they said that it cost them in the upwards of $8,800 million. When it was all said and done, something like that it was a very large number. Well, they had to come up with a quantitative number for one, because it's a publicly held company, so they got to let their shareholders know what was the actual impact, and so this is a much easier way for people to truly understand. Okay, what did occur, but there's a lot of also hidden costs in there that may or may not be brought forward and may not be considered as well. But how does this all play into it?
Speaker 2:Well, there's some key elements when you're dealing with a quantitative impact assessment. You have a single loss expectancy, you have annual loss expectancy and you have annual rate of occurrence. So, like I mentioned in the alphabet soup earlier, sle, ale and ARO. So SLE is your single loss expectancy, ale is your annual loss expectancy and your ARO is annual rate of occurrence. So let's just say, for example, let's go.
Speaker 2:We're going to walk through an example of just a critical server. So this is not a facility, this isn't a site, this isn't a whole business. This is just one server. But you can cascade this out to multiple different ways. So a critical server goes down. This critical server is set up for a single loss expectancy might be calculated as the cost of downtime per hour. So let's just say this server's downtime costs $5,000 an hour. So you multiply that by the expected duration of the outage. So in the case of this situation where the server goes down, it's four hours. So you have $5,000 an hour. It's down for four hours Results in a single loss expectancy of $20,000. So just for that, one server to go down for a period of four hours will cost you $20,000 US dollars.
Speaker 2:And that makes sense, right? It's simple math and it's not complicated. Well, if the server is expected to go down once every five years, the ARO would be 0.2. If it's expected to go down once a year, that would be an ARO of one. So just to put it in perspective, a one year is one, a five years is an ARO of 0.2.
Speaker 2:So if you multiply, the ALE says your annual loss expectancy times the, or I should say you multiply your SLE sorry, here comes the acronym soup, sle times, aro. Okay, that will give you your annual loss expectancy. So that's how you figure out what that might be. So you got your SLE is again your SLE is $20,000. Your ARO is 0.2. Your ALE will become what $4,000 will be your ALE. So your annual loss expectancy is $4,000 that you can anticipate for that server being down. So now you can multiply this number out all different kinds of ways to however it fits or meets your specific needs. So, just again, keep in mind that that's how you would come out with your quantitative impact assessment. Now, qualitative impact assessment this is a way of assessing the impact of disruptions through descriptive means rather than hard numbers, way of assessing the impact of disruptions through descriptive means rather than hard numbers. And this would involve a subject, objective judgments and opinions. So again, this could come down to such as customer satisfaction, employee morale, brand reputation. Those are pieces that you would have to figure out. A qualitative impact assessment Now that again it gets much harder, much squishier.
Speaker 2:The Clorox example okay, they went down for a while and that impacted their people's mindset or the brand reputation with Clorox. Now, I would say that there probably wasn't nearly as substantial as the hack that hit MGM. So when MGM and the casino company in Las Vegas was taken down, that was a substantial impact One. They had to bring all these systems back up. They had annual loss of revenue. But at the same time, people that are using MGM for their gambling needs some people were probably hesitant to give them any more of their credit card information or personal information, thinking that the information may have been compromised. That would be a bigger brand reputational hit than let's just say Clorox. Clorox, they make stuff. They make stuff that you use stuff, and most people think I don't give Clorox my personal information. So therefore, as long as I got my stuff up and running, I'm okay. Now, again, you will lose some people. That's not for all cases, there's no situation where it's always the same, but brand reputation hit would potentially be less with a Clorox incident than it would with an MGM type incident. So, as an example of this, the same server goes down.
Speaker 2:A qualitative assessment might focus on a potential loss of customer trust, the stress on employees due to increased workload and the tarnishing of the company's reputation due to the service outage. So again, that's a qualitative impact assessment. So let's get into annual rate of occurrence. What exactly is that? So we just use that for our different quantitative assessment. This is a metric that's used in this process and what it is is it's the number of times per year that an incident is likely to occur. So now, like in their example of the server, we could potentially come up with a 0.2, right, so it's going to happen once every five years, and they figure out ARO based on the number of incidents divided by the number of years. So if you have a situation going on where you know that these servers go down X number of times, okay, over a period of five years. That'll give you your point too.
Speaker 2:It's somewhat easier to figure out with standard incidents that occur within your organization, such as an outage. Right, you have the stray backhoe that comes in and it cuts a hole in the ground and it takes out your fiber line. Okay, that happens so often. You have an individual that configures the server wrong and it goes down. That happens. You have just hardware failure. If you have a hardware of appliances, that happens. So that comes into your once every five years that server would go down.
Speaker 2:The part that gets really squishy is when it comes into attacks from outside entities, such as cyber attacks. So you really think well, I have no idea how to plan that out. So what you then have to do is make a lot of qualitative kind of assessments along with your quantitative ones. You have to figure out, hmm. So if a breach occurs, I know that I have done everything in my power, you've done all the security controls you can. You've mapped them out. You obviously understand some gaps, but you've minimized your gaps. You feel confident that you've done a good job in the security.
Speaker 2:As a security professional, you may say you know what? I think we have a chance of getting an incident that would affect our entire company, probably once every year. Let's just say 100 years. It's probably less than that, but let's say once every 100 years. But I have the ability for a cyber incident to take down a server would be probably once a year to maybe once every five years. So then you have to determine is that a critical system? And then how do I base my annual rate of occurrence on that critical system?
Speaker 2:So it gets very complicated very quickly, but it forces you to think through where are your critical systems? Have you put enough controls in place? Can you explain that to the board? Can you explain that to your CEO? What are the protections you've done to help minimize the risk to your organization? And again, it's a bit of a guessing game, right? I mean, there's no way you're going to get this to 100%, there's no physical way. But you have to be able to talk yourself out of the corner and you've got to be able to make sure your leadership is aware, with going into all these incidents with their eyes wide open, that they know that if something happens, you had a plan for it and you understood where the risks were, and you try to put in place some level of mitigation around those risks.
Speaker 2:So, in this example, though, you say you predict a data breach might occur twice in five years, the ARO would be basically two incidents divided by five. It would be a 0.4, right? So that's what you'd be dealing with if you had a data breach type situation. Now, in a business impact assessment, you would use the ARO to help you with your annual loss expectancy, which is the expected monetary loss for an asset. One specific asset could be a plant, could be a server, could be whatever you decide the risk over each year and again, we talk about this. Where your ale equals your sle times, your aro and your a le again is is multiplied by your single loss expectancy by your aro. So we talked about that recently, just or just a few minutes ago. So I hope that makes kind of sense.
Speaker 2:So now, when you're dealing with a bia, it does roll into what we call the business continuity plan and your business continuity plan, the bia, is one aspect of that. So if you're dealing with a bcp, you need to identify how does this work and I'm just quickly going down this tangent of a bcp because it is connected with how you would do your BIA. Those two are important. So how does this play out? Well, in a BCP, you need to try to understand what are the next steps that you need to understand as it relates to a disruptive event. So one you need to establish an emergency preparedness team. You need to have somebody that's in place, a committee, to help you with responsibilities in the event that there's an emergency preparedness team. You need to have somebody that's in place, a committee, to help you with responsibilities in the event that there's an emergency. This would lead to planning process to have the authority to make decisions. You need to have this in place. That's a completely different podcast and we'll get into that at another point.
Speaker 2:But if you have an emergency response team that's ready to go, they know their expectations, they know what they're supposed to do you have key people from each of the divisions of your organization to include your legal, it, compliance, obviously, security All of those people are already prepped, they're already set up to go. They already know what they need to do. That is a team that should be set up and ready to go, and these would include developing training plans, key business partners and then also assessing the potential impact of an emergency. That needs to be in place and ready to go. Then you conduct what they call a business impact analysis, and that's the BIA, and this is what we've been doing here, and this helps identify critical business functions and potential impact of their disruption. This involves categorizing services based on criticality as well as priorities A, b and C, obviously A being the most critical to your organization. Now, this should be conducted with input from multiple departments and with as long as your key personnel as well.
Speaker 2:So, as you're building out your response plan, you need to have the same type of people you would meet with on your BIA, then you need to prioritize and categorize, set this up. You need to have a sessional services, critical factors of each of those are going and you need to rate the impact of each of these services as well, as well as staff absenteeism. So if you lose people, how will that affect your recovery? So it's really understanding everybody's involved. I've got a BIA what's the impact that these systems go down? I'm going to prioritize and categorize my most important and critical systems and making sure that if I have Bill who Bill is the main person for this system and Bill is sick, then what do I do? Bill's on maternity leave or his wife's on maternity leave and Bill's coming in, are you going to pull him in off on maternity leave and do that? Can you do that Legally? Can you? Yes, no, don't know. Depends on where you live. Maybe that is a case.
Speaker 2:Then you need to identify the resources that help you continue operations such as staffing, equipment, alternate locations. This kind of flows into your DR plan, your disaster recovery plan. You need to integrate with your objectives for your organization. Again, make sure that the overall objectives for your organization align with what you're trying to accomplish. And then you need to regularly review and update, make sure that everybody's tied into what's actually happening and how to fix it. And then you need to run different types of events and this comes into the last bullet, or not. The last second to last is the training and awareness. You need to run through different scenarios and make sure this works, and this would include reevaluating your business impact analysis.
Speaker 2:You need to really consider changing your BIA when you have large things that occur within your organization. You do a merger, you need to redo your BIA. You do a divestiture, you need to redo your BIA. If you bring on one facility or some critical systems, critical applications, redo your BIA. And again, it could be a very small thing or it could be very large, depending on the size of what the change is within your organization. And then you need to communicate this. This includes stakeholder involvement. You want you to communicate your BCP plan. That needs to happen with your senior leaders, happens with heads of the departments. You need to communicate that with people and then their understanding and then, if you run through some different training assessments with this, this would be a great way for that communication to occur as well.
Speaker 2:Now we going to run into a couple of different acronyms MTD, rto and RPO. So MTD is maximum tolerable downtime. This is the longest amount of time that a business process can be down okay, without causing significant harm to your organization's plan or mission. It represents a threshold for accepting downtime and a crucial for determining the urgency of recovery. So if your maximum acceptable downtime is one day versus your maximum acceptable downtime is one hour, that will tell you the criticality of what systems can be down for how long and so forth. I will tell you that this will change and some people think they know what the answer is, but until you exercise it, you truly won't know it, because I've had situations with senior leaders that have come in and said my maximum downtime is seven days until you do an exercise and they're like that thing has to be up in two hours Exactly. So that's the part where you really won't figure that out until you actually do it.
Speaker 2:Recovery time objective this is the largest or the target duration in which the business processes must be restored after a disruption to avoid unacceptable consequences. So what that basically means is that you have a I have you come up with a plan that my data is updating to a database and if it does not update to this database and it doesn't say every minute if I lose, if it doesn't update for two hours, I lose those two hours. Well, I have people that can go back in and try to re-manually go and hand jam in those new day, that new data. However, if it goes down for three days, I'm now total business processes crump. I got nothing I could do. I don't know. I mean, these hospitals is an example with a ransomware attack. When they have, they need to get these systems back up and operational because all of their data is operating inside them. They can't do notes on their people. What happens if people get the wrong drugs and it causes physical harm? All of those things are an important factor when you're dealing with rto.
Speaker 2:Now we go to rpo. This is recovery point objective. This is the maximum acceptable data loss measured in time. This the age of the files must be recovered from backup storage for normal operations. So if you have a situation where I can be down for an hour, okay, and I'm down for that hour, but within that hour I have to have all of the data back within minutes. So I can only lose five minutes of data. So then that means is that your recovery point objective is five minutes. You can be down for two days, but you've got to be when they bring it back from backups. You cannot lose no more than two minutes of data. That's your recovery point objective. So maximum tolerable downtime is how much time it can be down days, hours. Maximum recovery time objective is the duration in which your business process can be operating where that has to be restored. So I've got days that I have to have it back, and then your point objective is when the data needs to be back in sync Immediately, exactly within. I can only lose an hour, I can only lose two hours. What is that recovery point objective? So, again, these are really important to identify the priorities because they help you understand what systems are critical and then what your business is willing to accept as it relates to both your MTD, rto and RPO.
Speaker 2:So now you're dealing with risk identification. What are some risk identifications you need to consider with your BIA? This would be natural disasters and we've got human-made disasters, so the risks can vary. In the past it used to be. Many of them were. Obviously you got some natural disasters earthquakes, floods, hurricanes, tsunamis all that that's normal, right, and the actuarial tables can help with that. I actually talked to a gentleman I'm working with right now in a contracting thing and his daughter is going to school for actuarial. I can't say that, basically, science around a curial yeah, insurance person, that's what she's going to be Like working on. She likes that, she likes looking at numbers. So this is where you have your actuarial tables.
Speaker 2:Well they know how many earthquakes occur, how many floods occur, and they can kind of plan for that. The part they can't plan for and I'm talking to the insurance people is the human-made disasters such as cyber attacks, data breaches, physical terrorist attacks, which I think they can plan for those a little bit better because they don't happen as often. Fires caused by human activity those can work with Industrial accidents, they can figure those out. But the cyber and data breach ones are really squishy and I think they'll also get into. Are you in a targeted environment, critical infrastructure? I think that's probably one of the areas that they're starting to try to get the numbers around. But the protections on critical infrastructure is all over the board, man. It goes from being super protected when you're dealing with nuclear power plants down to water treatment facilities that may not be as protected. So it's interesting. So when you're dealing with BIA and the CISSP, you need to consider again, like we talk about, identifying key business functions, estimating your downtime, understanding that and then assessing the potential impact over time and how it may impact your business. So that's really what it is. The business impact analysis is just going through the numbers and you can create your own assessment within your own business. I highly recommend you create one, something that you would have that you can work from to help with your people. Now, I would also tend to make sure you be very careful when you create your own BIA or business impact assessment.
Speaker 2:Is the fact that it's really easy to start making this a laundry list of all kinds of things that you're going to ask questions on. You want to avoid that. You really want to keep this simple, keep it to the point and let it help you understand where are the key aspects within your organization, and that could come down to is what are the systems that are most critical? What are you doing to protect those most critical systems? And then, are there anything that you haven't really thought of? And you'll dig deeper into all those. I mean, that's a very generic statement I just made there, but that's really what boils it down to is what are the critical systems? How much could it impact your organization? Is there a monetary number you can give me and who is the next person you need to talk to about those critical systems? And then, what protections do you have in place?
Speaker 2:That's the crux of it, with a little bit more detail, okay, so now we're going to talk about BIA and the cloud. How does that work? So you're dealing with the cloud. What do we do here? Well, you need to understand the critical business functions again that are tied to these cloud environments. And what is a cloud? All a cloud is is you've just outsourced your data, your data center, to an external entity. That's all the cloud is.
Speaker 2:So instead of doing that to your own people, you now have to do an impact assessment to these cloud providers. Now, depending upon if it's going to be like Amazon, where you're putting your own stuff out there and Amazon is just maintaining the infrastructure. That is a different kind of BIA than if you are actually allowing a third party to be what they call a SaaS, or a software as a service provider, or infrastructure as a service provider, then that's a different type of BIA where you may ask a little bit different questions. Same concept, but just different questions. That's so you could keep it simple, right? Do not overcomplicate this. It's really easy for security professionals to make this way more complicated than it needs to be, and it then causes all kinds of drama and people just don't get stuff done.
Speaker 2:You need to assess the impact of what would happen if a cloud disruption would occur, like just the same thing you do on on-prem. One of the things that you might consider this is a little bit different, but it's kind of the same is evaluating dependencies. You may have different dependencies with an external provider than you do with your internal people, and the understanding is that you can tap Sometimes you're internal people on the shoulder saying, hey, can you help me, whereas with an external provider it isn't always as simple as that. You need to understand your regulatory compliance, especially externally, and if you're doing with a SaaS product, they should be dealing with that. If, for some reason, you have a SaaS provider that does not understand the regulations for your space, you may want to think twice about working with them. They need to truly understand that. If you want to have a successful engagement working with them, they need to truly understand that.
Speaker 2:If you want to have a successful engagement with these people, you need to consider data security and then also for potential breaches. And are they dealing with that? And this comes down to SLAs. Do you have a service level agreement with these folks that they will? Then it understands everybody's commitments, operations and key considerations. This would be a part where you need to understand what are those SLAs that you have with this organization. Do they understand what they are? Clear, measurable, achievable metrics need to be defined, including the flexibility that they have within this business. That also involves with your flexibility as your company as it changes with time and in this SLA you also need to understand they comply with all the different regulations that are there, as well as they are letting you know how they do with these compliance regulations and how their compliance is focused on.
Speaker 2:This is something that you'll deal with. As a security professional, you will dig into this a lot. Your compliance folks understand really good what they do, but when it comes into cybersecurity, there's very few. There's fewer cybersecurity compliance people that are focused on it and therefore they're a bit of a unicorn. You may have to help that compliance person in this overall process, especially if your business model is not an IT related or software related business. If you're dealing with an IT or software related business, those compliance folks are pretty sharp on the cyber stuff. But if you're dealing with manufacturing or maybe something a little bit different that doesn't deal with cyber as much, you may have to do some education to train them up.
Speaker 2:Maintaining transparency. Again, this is also important that you have that in line and you understand it. Now we talked about I mentioned the SOC report and I'm not going to get into SOC and how that plays into. But when you're doing a BIA, you may have to understand what a SOC report is and this is a service organization control report and it's what it's. Why is it important? Well, as you're dealing with a business impact assessment, these are regulatory requirements that you may have to meet and I'm just using SOC as an example. There's many other regulatory requirements out there that may impact your business impact assessment, but the SOC report what it basically is, it's an examination from what a certified public accountant or CPA organization would do and they would provide. What are the controls that are in place to help protect security.
Speaker 2:As it relates to a financial piece of this, this is around the security, the accuracy and the completeness of all of financial information, and that's a SOC. Now, they have different types. There's a SOC 1, there's a SOC 2. There's a report to depending upon the amount of due diligence that needs to occur, based on what you do with the financial data. So if you have a much more involved financial situation, you'll have a different SOC report than what you would if you didn't have that. So, again, we're not going to get into the details of a SOC report, but just know that a SOC report is an important factor in dealing with a VIA because of the regulatory requirements that are associated within that organization if they're a financial organization.
Speaker 2:I dealt with my other company. I had cybersecurity for China, I had also for Europe, and so therefore I had those requirements that were required of me when I did my VIA. If we didn't report an incident within a certain period of time, then there were fines, there was potential jail time, depending on the country you're in. So all of those things get fed into our BIA because of the fact that it was a compliance slash regulatory requirement that was imposed upon us by the country that we were operating out of. Okay, so this is all we've got.
Speaker 2:We're going to go over a summary of what we talked about. We talked about having an emergency preparedness team. We talked about having a BIA. That's part of your overall BCP. These are all part of your BCP Prioritization, resource identification, what are your organizational objectives? You should review and update this on a routine basis. You need to train your people and you need to communicate with them. We talked about MTD, rto, rpo. We talked about the fact that MTD is a maximum acceptable downtime RTO is your recovery time objective, rpo is your recovery point objective. We talked about how the risk identification comes into natural disasters human-made disasters as well and we also then got into the BIA and the cloud Various different aspects we covered during this podcast.
Speaker 2:Ultimate goal is that the BIA is an important factor for any organization and you need to really consider doing it. It's also going to help you with the CISSP. As you can see, the great part about the CISSP is that it will help you with your job. Once you pass the CISSP, it helps you in your job. Now, if, for some reason, you want to listen to this and you don't ever want to take the CISSP, hey, that's fine too. Not a problem, because the fact is, these skills are very helpful with your organization, no matter if you're taking the certification or you pass the CISSP.
Speaker 2:There's also out there, if you need mentorship or if you need some help with your organization, that you need a CISSP or a CISO to help you with some of that just some guidance around what you need for your company. I'm happy to help you with that too. I've got plans for that. You just let me know what you need. Just send me an email. I'm happy to kind of work with you and tailor your needs as well. I've got a lot of people that are already large companies as well as municipalities, that are needing some level of cybersecurity experience and they are needing help. Hey, just reach out. I'm happy to do so.
Speaker 2:Again, all the proceeds that go from CISSP Cyber Training are going to be going to my nonprofit. So good part about all that is, I'm not going to be taking any money from that. I'm going to be picking a launch date on that. It's going to be happening here. It's probably around the 1st of June. We're going to move all that into our nonprofit, so I'm excited about that.
Speaker 2:But the ultimate goal is that to help you pass your CISSP. It's about helping you protect your company and your facilities, and I do this because I'm passionate about the fact that I just don't want we can stop this stuff from happening, at least limit it. We'll never stop it completely, but we can limit it and, if I can help you train, get trained so that you can help be a part of that that is what I'm here for is to help facilitate that process. So if you've got any questions, again reach out to me at CISSP, cyber Training, and I'm super excited to work with you here in the future. Good luck on your CISSP. You guys will get it done. I know you will Take care. We'll talk to you soon. Catch you on the flip side, see ya.