Discussing Ethics and Security Concepts

0:00<v ->When it comes to certification bodies, those organizations</v>

0:03that issue certifications, and specifically

0:06within the information security realm,

0:08the ISC Squared Certifications, it is very important

0:12that you understand their code of ethics,

0:15because you'll be held to them.

0:17So let's jump in and talk about these ethics.

0:20So ISC Squared has a code of ethics.

0:23Now one question is, well, why do we have these?

0:26Well, we have these code of ethics to provide an expectation

0:32for those certified individuals' professional behavior.

0:37So in order to hold and maintain

0:39an ISC Squared Certification,

0:41you have to abide by the code of ethics.

0:45So your professional behavior must reflect those ethics.

0:50So let's go ahead and talk about what these are.

0:52We're starting with the code of ethics preamble, okay?

0:57And here it is, right here.

0:59It says, "The safety and welfare of society

1:01and the common good, the duty to our principles,

1:05and to each other requires that we adhere,

1:07and be seen to adhere to the highest ethical standards

1:12of behavior."

1:13So if you are going to become ISC Squared certified,

1:16you have to follow these code of ethics.

1:19So you must adhere to the highest ethical standards

1:22of behavior.

1:24And down here, therefore, strict adherence

1:27to this code is a condition of certification.

1:31So if you're not gonna adhere to the code, you don't agree

1:34to it, you cannot be certified, according to ISC Squared.

1:38And this is one of their certifications.

1:40They have several of them out there.

1:42So next up is the code of ethics cannons.

1:45These are the four cannons of the code of ethics.

1:49Number one here.

1:51Protect society, the common good, necessary public trust

1:56and confidence, and the infrastructure.

1:59So you're looking to protect society.

2:01You're protecting the common good.

2:04You're protecting public trust and confidence,

2:07and of course the infrastructure as well.

2:10So it's by practicing these ethics that we gain trust.

2:14We become recognized professionals

2:17who follow these codes of ethics.

2:20Number two, you must act honorably, honestly, justly,

2:26responsibly and legally.

2:28So it's all of these things together.

2:30So not only do you have to protect these items over here,

2:35we have to act in certain ways.

2:38Then number three, we need to provide diligent

2:41and competence.

2:43That is key here.

2:44Diligent and competent services to principals,

2:47that's our customers.

2:48We have to maintain competency.

2:51And that is one of the reasons that we have

2:54to achieve certain CPE requirements,

2:59which are continuing professional education,

3:03to show that we are maintaining our competency.

3:07And then lastly, the fourth cannon here,

3:10we need to advance and protect the profession.

3:14So what we're meaning here is, by advancing the profession,

3:18we're keeping up with changes in the environments,

3:22and in security, and we are protecting the profession.

3:26We're protecting the profession

3:28by maintaining our ethical actions.

3:32And we're performing number one over here,

3:35of course two, and three.

3:37We're protecting the integrity of the profession,

3:40so that when someone sees

3:41that you hold an ISC Squared Certification,

3:44that they know that you do these things.

3:46You adhere to these four cannons, and you practice ethics.

3:50And that is key here, because when someone says,

3:53I hold X certification, if it's from an organization

3:58who just gives out pieces of paper

3:59and they don't really care about anything else

4:01except making money,

4:03then that certification just doesn't hold as much value.

4:07Whereas ISC Squared, they require that you adhere

4:12to this code of ethics.

4:13They require that you keep up to date with your CPE's,

4:18that you're studying, and you're advancing yourself

4:21and the profession, and that you're acting honorably,

4:24honestly, and justly and legally.

4:27And by adhering to that, it means

4:30that those certifications carry with them greater value.

4:35And that's where, as a professional

4:37within the security industry, we really need

4:39to adhere to these ethics.

4:42And now we're moving on

4:43to our organizational code of ethics.

4:45We've discussed our ISC Squared code of ethics,

4:48time to talk about the ethics

4:50for the organizations that we're a part of.

4:52And the organizational code of ethics does something for us.

4:55It helps to define the organization's ethical guidelines

4:58and best practices for a couple of things.

5:02Number one is honesty.

5:05Number two is integrity.

5:08Number three is professionalism.

5:10And that's what our organizational code of ethics do for us.

5:12They help us to define ethical guidelines

5:15and best practices for our honesty, integrity,

5:17and professionalism.

5:18And these are going to be used

5:20to help shape some things within our company, okay?

5:23They're gonna be used to help shape our policies

5:27and guidelines.

5:28So we see that swings right over into our policies

5:32and guidelines.

5:33And really the key with organizational policies

5:36is this image down here.

5:38We have this balance going on.

5:40And that's what these code of ethics are supposed to do.

5:44Help us to balance conflicting needs of laws

5:47and regulations with the need for a business to succeed.

5:52And that's because many businesses face regulations

5:57and laws that they have to abide by.

5:58They need to be compliant with them.

6:00And sometimes those can make being successful

6:03in business, difficult.

6:04They can cost a lot of money.

6:06They can make things hard on us.

6:08But the thing is, when it comes

6:09to our organizational code of ethics,

6:11it's really there to also help us

6:13to balance these two things out,

6:16so that they can both coexist.

6:19And of course, if employees or folks

6:21in the organization are not abiding

6:23by these codes of ethics, well, it can result

6:26in repercussions such as employee termination.

6:29And nobody wants that.

6:31So here, we see that not only do we need to abide

6:34by the ISC Squared code of ethics,

6:36but of course also our organizational code of ethics

6:40as security professionals.

6:41And we need to understand the importance of these ethics,

6:44and understand the expectations

6:46that we practice ethical behavior.

6:48That's what this has been all about.

6:50I hope this has been informative for you,

6:51and I'd like to thank you for viewing.

0:01<v ->Today we're going to talk about the CIA Triad.</v>

0:05And no, this isn't the Central Intelligence Agency,

0:08although that would be fun, but it's a little bit different.

0:11So we're gonna talk about confidentiality, integrity,

0:14and availability, that is the CIA triad.

0:17So with no further ado, let's jump in and get started.

0:21So the CIA triad, what is it? Why is it important?

0:26Well, the CIA Triad, "TRI" meaning three, has three sides

0:31as we can see in this drawing.

0:32Confidentiality, integrity and availability,

0:37those are the three pieces of the CIA triad.

0:42Now why is this important?

0:43Because within cybersecurity and information security,

0:47we are working to ensure, that is key here,

0:51that it's kind of our job is to ensure this CIA triad.

0:55So what does this really mean?

0:58Well, it means we want to work to provide confidentiality,

1:02and work to provide integrity to our data,

1:06and the availability of our data.

1:09So let's go a little further now and talk about

1:12each of these individually and and kinda the role

1:15that they play in this triad.

1:18So we're gonna start off with confidentiality.

1:20We see Mr. Hush Hush down here.

1:23Now, when it comes to confidentiality,

1:25what we're trying to do is make sure that only those

1:29who are authorized to access our data can access it.

1:33That means those who are unauthorized,

1:36well we don't want those folks to be able

1:39to access our data.

1:40We want to keep it confidentiality, we want to restrict

1:43access to it.

1:44We want to use something called

1:46the premise of least privilege.

1:49And we're gonna dive into what this means more later on.

1:53But we're gonna practice something called "least privilege",

1:57meaning we provide the least amount of privilege necessary

2:01for someone to do their job.

2:03So if we have hundreds and hundreds of thousands of files

2:07and folders and directories and all of the wonderful

2:09resources that we have, we don't want to give everybody

2:13out there access to all of these things.

2:16Absolutely not. We want to remove that.

2:18We wanna say, this person needs access to only this.

2:21Maybe this person needs access to these things over here,

2:25and this one to a couple of these over here,

2:28but that's all that they need access to,

2:29that is least privilege.

2:31Now why is that important when it comes to confidentiality?

2:34Because, if everybody has access to everything, well then,

2:38well, there's no confidentiality at that point necessarily

2:41because we need to control who can have

2:43access to everything.

2:44We wanna make sure that those unauthorized individuals

2:48don't have access to any of the things

2:51that they shouldn't have access to.

2:52So really when we're talking about confidentiality,

2:54what we've been talking about here is something called

2:56access control.

2:58And there are several different types of access control,

3:01and we're gonna dive into those later on.

3:03But this all on this right side of the screen here,

3:07well, that's access control in a nutshell.

3:10What else can we use to provide confidentiality to our data?

3:15Well just think about this, if you send an email to someone,

3:18it's gonna go out across the internet.

3:21And what is out there on the internet?

3:23Well, there's lots of things on the internet.

3:25It goes through different service providers as it

3:27jumps through various networks to get from

3:30point A to point B to point C, and maybe finally down here

3:34to your destination where that user can open up the email

3:37and read the contents.

3:39Well, as your emails and other data traverse the wide world

3:44of the internet, which is the wild wild west out there,

3:48who's to say someone can't go out there,

3:52and take a look at your email?

3:54Well, because it's absolutely possible these emails are

3:57sent in plain text.

3:59So what can we do to combat this?

4:01Well, let me make a little room here.

4:04We can use something called encryption.

4:07So we have our email over here.

4:09What we're gonna do is we're going to use a key of some sort

4:12and we're going to encrypt this email so that anybody

4:17that doesn't have that key, they cannot read the email.

4:20So as it traverses the internet and all the different paths

4:24it may take before it gets to its final destination,

4:27anybody out here who doesn't have the key, they're not gonna

4:29be able to read that email, meaning we are going to maintain

4:32the confidentiality of the contents of that email.

4:35Hey, super cool.

4:37So then when it gets down here to its final destination,

4:40the user can take their key and they can open that email

4:44and read it and voila, there we go,

4:47we've achieved confidentiality.

4:49So there's a couple different pieces.

4:50We can use encryption to help with confidentiality,

4:53we can use access control to help maintain confidentiality.

4:58And why are we maintaining confidentiality

5:00in the first place?

5:01Because our data can be sensitive,

5:04it can have trade secrets in it.

5:06Maybe it has sensitive privacy information in it.

5:10We need to maintain control of our data, and part of that is

5:14maintaining the confidentiality of the data.

5:17So that's the C part of the CIA triad. What about the I?

5:21Good old integrity. There we go.

5:24So integrity. This is ensuring that our data is accurate.

5:30So why is our data not accurate?

5:33Did we mess something up? Did we miscalculate something?

5:36No, no, no, no, no, something totally different.

5:38This is dealing with making sure our data

5:41hasn't been tampered with.

5:44Because, just same example we used before

5:47when we were sending an email, if I go over here

5:50and I take an email and I send it out,

5:52and it goes out across the internet and through all the

5:54different routers and devices out there to get to

5:57where it's finally going through different service providers

6:00and such, and the user gets their email.

6:03And originally I was placing an order, so I want to order

6:07part number 1234,

6:09and I want to order a quantity of five.

6:12Okay? That's what was in my email.

6:15Well, if someone tampers with that email

6:18and they change that order to part number 6321,

6:24and a quantity of 500,

6:28well, that completely changes my order.

6:32And that is why we need to protect integrity,

6:35not to protect our orders necessarily,

6:37but sure, of course that's one example.

6:39But because we need to ensure that our data is accurate,

6:46we don't want it to be tampered with, we need to ensure

6:48the integrity of our data, and some different ways

6:52that we can do this, we can perform error checking.

6:56So for example, in this instance, if I use some type

7:00of mathematical equation to give me an output of

7:03what my original message equals, maybe it actually equals

7:08X, 3, 2, 6, 9.

7:11You know, in some mathematical equation,

7:13actually we call this hashing,

7:14and this value now represents the email.

7:17So I could actually attach this to the email,

7:21and then when it gets to the other side, we could run

7:24that mathematical algorithm again.

7:26And here it would equal Y, 3, 1, 1, 2.

7:31All right? So that's what that equals.

7:33So if I take my, out of this message X, 3, 2, 6, 9,

7:38does this value equal that value? Well the answer is no.

7:42So that means that our message was tampered with,

7:46and this is part of something like error checking.

7:48We're looking to see if our data was tampered with,

7:52and the integrity has been compromised of our data.

7:56And if you think about this is one example, right?

7:59But what about when it comes to medical information?

8:01Well, that could be very dangerous as you could imagine.

8:05If someone's medical records were tampered with

8:08and we didn't have the integrity of the data,

8:10well maybe something they were allergic to gets changed

8:13in their medical records and then they get a treatment

8:16and they have an allergic reaction, you see where

8:18this could go, this could be very dangerous.

8:21So again, we're looking to protect the integrity of our data

8:25and really one of the best ways we can do that is

8:28through an error checking or something we call hashing,

8:32which uses a mathematical algorithm to calculate a value,

8:36just like we looked at in this example.

8:38All right, so that's the "I" leg of our CIA triad.

8:41We've got one more to go, that is the "A" or availability.

8:46So here we're looking to make sure our data is, well,

8:49it's available, meaning we can use it.

8:53If our data is not available to us to use,

8:57well what good is it, right?

8:58We can't actually access it and use it.

9:00We've gotta have it available to us.

9:02So how can we, you know, protect our data

9:05and make sure it's available?

9:07Well, one of the things we can do is

9:08practice access control.

9:10Just like we talked about in our

9:13confidentiality, access control.

9:15If we allow unauthorized users to access our data,

9:21well, guess what?

9:22Those unauthorized users, whoa...

9:26Well, they could go out there and delete our data.

9:28Well then it's not available to us, or they could change

9:32the data and compromise its integrity.

9:34So then it's inaccurate.

9:35And if it's inaccurate, it's of no use to us,

9:38so again, it's affecting the availability.

9:40Another thing we could do is put some type of

9:43security controls in place to help

9:48protect our data, make sure it's available,

9:50because we got all those bad guys out there on the internet

9:54who might do something like cause an attack

9:56against our environment.

9:58And if they're trying to attack, maybe we can put something

10:01like a firewall out here, and that firewall

10:04is gonna help protect us.

10:06So this is a security control, something we put in place

10:09to control the situation.

10:11And it's related to security.

10:13So we could do a firewall,

10:14or maybe an intrusion detection system

10:18that we could put in place to analyze the traffic

10:21as it's coming through into our environment

10:23so we can help keep the bad guys out,

10:26making sure that our data is available.

10:29We can also build redundancy into our systems.

10:34So instead of running our data on one server,

10:37we actually spread the data across multiple servers in maybe

10:41a cluster so that if we lose one of those servers,

10:45we still have our data available to us.

10:48So redundancy, we could have redundant power.

10:50That's pretty important,

10:52because if the lights go out, well guess what?

10:54Our servers go down, our infrastructure goes down,

10:57we'd lose access or availability of our data.

11:01The same for our HVAC or air conditioning and ventilation.

11:05Because when we're dealing with lots of network equipment

11:08and servers and such, it generates lots of heat,

11:10and if it overheat, it's no longer able to function.

11:12Well, it affects the availability of the data

11:16on those devices.

11:18So it's very important that we have redundancy as part of

11:22protection for our availability.

11:25So those are the three things that make up the CIA triad.

11:30That's our confidentiality, our integrity,

11:33and of course our availability.

11:36That's the CIA triad.

11:37And that's really what we look to protect

11:40within information security.

11:43So we're looking to protect all of these things,

11:46because when we do that together,

11:48when we have all three legs of the CIA triad,

11:51well then, we are going to be winning at security

11:54and making sure our data is accurate and available,

11:58and kept confidential.

12:01I hope this has been informative for you,

12:02and I'd like to thank you for viewing.

0:00<v ->It's time to talk about accountability,</v>

0:03privacy, and nonrepudiation.

0:05These three things are very important

0:07when it comes to security.

0:09We need to have accountability and we need to have privacy.

0:12And then nonrepudiation is something

0:15that comes into play a little later on.

0:16But we're gonna discuss all these right now.

0:20And we're starting off with accountability.

0:22And it's very important that we have accountability.

0:25And accountability is holding someone accountable

0:30for their actions.

0:32And it's very important that we do this

0:34because without accountability, there are no consequences

0:38for not following things like code of ethics

0:42and policies and procedures

0:46and anything else laid out by the organization.

0:50So again, accountability, holding somebody accountable

0:53for their actions, very important.

0:55Because if we didn't have accountability,

0:58well then there's no reason for anyone

1:00to follow what's been laid out by the organization,

1:03like the code of ethics and policies and procedures.

1:06There's no consequences, no accountability.

1:09So it's very important that we have that.

1:12Otherwise, there would be no repercussions

1:14for not following these things.

1:15And at that point, there's really no incentive either,

1:19because if there's no repercussions, nothing's gonna happen.

1:22So you can really just do what you wanna do.

1:24That's why accountability is so very important.

1:27And next we're gonna talk about privacy.

1:30Now, according to Miriam Webster,

1:32privacy is freedom from unauthorized intrusion.

1:38And this is what we want for our personal data

1:41and our lives, right?

1:42Absolutely.

1:44We want freedom from unauthorized intrusion.

1:46If we want people to know our business,

1:48then we'll post it on social media

1:50or we'll tell somebody about it.

1:52But otherwise, we want our personalized, our data

1:57to be free from unauthorized intrusion.

1:59And the same goes for the data in our organizations.

2:03The data that our organizations manage.

2:05We want to keep it free from unauthorized access.

2:09And there are many laws

2:10and regulations surrounding data privacy,

2:13which we're gonna cover later on in this course.

2:15But for now, just to understand, privacy

2:18is freedom from unauthorized intrusion,

2:20and we want to keep our data private.

2:25Absolutely.

2:26We don't want unauthorized access to our data.

2:29All right, so that's accountability and privacy.

2:31Next up we're gonna talk about nonrepudiation.

2:34So it is a strange sounding word.

2:37So let's go ahead and break this down.

2:38We're gonna start with repudiation.

2:42Now, repudiation is the ability to say

2:46that you didn't do something.

2:49Okay?

2:50That's what repudiation means.

2:51Basically, you know, "I didn't send an email"

2:53or "I didn't open a file," so that is repudiation.

2:58But if we put non in front of that,

3:01so we have nonrepudiation, it means

3:05that you don't have the ability to say this, right?

3:10So let's talk about some of the examples of nonrepudiation.

3:14So when it comes to emails, if you have nonrepudiation,

3:19you can't say that "I didn't send this email."

3:24So as it goes out to its recipient over here

3:27and the recipient reads it

3:29and says, "Hey, did you send this email?"

3:31You cannot say, "I didn't do that."

3:34See, that's not an option with nonrepudiation.

3:37So we have proof that the person sent the email.

3:41Okay, what about accessing a file?

3:43Maybe making changes to the file?

3:46So we change a little bit in the file,

3:49and the question comes about,

3:51"Hey, who made the change to this file?

3:53Did you do that?"

3:54With nonrepudiation, the person can't say, "I didn't do it,"

3:58because we have proof that they did.

3:59So really, with nonrepudiation, we're looking to prove

4:04that someone did something.

4:06That's what it comes down to.

4:08But this isn't necessarily a bad thing.

4:10We're not looking to catch someone in a crime

4:13or something necessarily.

4:15It could be that you want to prove that you sent it.

4:17"See, I sent this file, I changed that file,

4:21I sent the email," whatever it is.

4:23So you can prove that you did.

4:24But how can this be done?

4:26Well, when it comes to proving that you sent an email,

4:30let's say, you could use something called PKI,

4:34and that is our Public Key Infrastructure.

4:39And this is dealing with encryption keys.

4:42So earlier we had talked about using encryption

4:44to encrypt an email to maintain its confidentiality.

4:48So if I take my key right here, and I go ahead

4:51and I use that key to digitally sign my email,

4:57which basically means you take the key

4:59and it runs that hashing algorithm

5:01that we talked about earlier,

5:02and it puts that data into the email.

5:04So since you are the only one who has access to this key,

5:09it's your private key, you hold it safe,

5:12and you don't let anybody else have access to it.

5:14That way when this email goes out

5:16and you've digitally signed it, you can say, "I sent it."

5:22And you have proof because you signed it with, that's right,

5:26your key right there.

5:28So that is an example of nonrepudiation.

5:31You want to prove that you sent it.

5:33And since you're the only person on earth who has access

5:35to that private key, you can prove it.

5:38You've digitally signed it.

5:40And we can sign files as well.

5:42You can sign various objects,

5:45but again, oftentimes we use PKI,

5:48or Public Key Infrastructure, with our private key to sign

5:52a piece of data to prove

5:55that you did something with it.

5:56And that is all about nonrepudiation.

5:59You wanna make sure that you can prove

6:01that you did something with some digital assets, like files.

6:05And again, also it could be the other way.

6:08So if you're looking to see if someone did something,

6:11you can find out again by nonrepudiation.

6:15I hope it's been informative for you

6:16and I'd like to thank you for viewing.

0:01<v ->Within information security, we're always trying</v>

0:03to control the security of our environment.

0:07We're protecting the CIA triad. We're protecting our assets.

0:11And one of the ways that we do this is we practice

0:14some things like least privileged and segregation of duties.

0:19These are two ways that we can control access

0:21that people have to our assets.

0:23We don't want them to have too much access

0:25because then they could do nefarious things

0:28and we don't want that to happen.

0:29So let's jump in and talk about these.

0:32So let's talk about principle of least privilege.

0:34The idea is you should only be provided

0:37with enough access to do your job and no more.

0:42Now, it is very important that we are given enough access

0:46to do our job, otherwise we wouldn't be able to do it.

0:49And that is detrimental to the organization, right?

0:53It hurts the organization if people can't do their job.

0:56So we have to make sure they have enough permissions.

1:00That is key. Enough, but not too much.

1:06And that is the principle of least privilege,

1:10because if you give too much permission or too much access,

1:16well that's not good either,

1:18because then nefarious activities can be carried out.

1:23Just think about this, if in your organization you've got

1:26a thousand users in there and those thousand users

1:30have access to everything in your organization data-wise,

1:35well they don't need that access.

1:38And so if someone is feeling like they've been wronged

1:42by the organization, again, they have access to everything.

1:47So they would be able to go out

1:49and access sensitive information

1:53and take that information and maybe sell it to a competitor

1:57or leak it online, whatever it might be

2:00to cause harm to your organization.

2:02And that would be an insider threat.

2:05But we can prevent this from happening by practicing

2:09principle of least privilege.

2:11We only give people enough access to do their job, okay?

2:16That's where this comes into play.

2:18Now, let's talk about a couple of examples.

2:21Let's say we have an email administrator.

2:24So there is our email server here,

2:27and they are the email administrator.

2:29They manage all the email for our organization.

2:32Well, we need to make sure

2:34that they have administrative access into our mail server.

2:38Absolutely, that's how they do their job.

2:41But if I have over here, there we go, my accounting server,

2:46do I need to give the email administrator

2:48administrative rights or any permissions at all

2:51to my accounting server?

2:53Well, the answer is probably not, and I wouldn't want to.

2:57They don't need access to that, okay?

3:00And another example, I've got this help desk technician

3:03over here working away at the help desk,

3:06helping our folks out,

3:07and he's working on fixing end user problems, okay?

3:12So that means that he probably doesn't need any type

3:15of administration access to the servers over here.

3:21He needs to have access to our end user computer

3:25so he can help 'em out, alright?

3:26So these are examples of principle of least privilege.

3:32So again, the key is least privilege.

3:35I'm gonna drive this home. Least privilege.

3:38When users have too much privilege, they can gain access

3:40to data and services that they don't need access to.

3:47And that's where we can run into risks

3:50such as insider threats or damage from viruses.

3:55What, damage from viruses? Yes, absolutely.

3:58So let's say I've got a user over here

4:01and everybody has access to everything.

4:04So we've got all of our digital assets over here,

4:07all of our files and all of our servers are over here

4:11and all these things, right?

4:12If this user sitting right here has access to everything

4:18and he goes ahead and receives a phishing email,

4:21downloads it, and gets a virus, well,

4:24the way the virus works is it uses the permissions

4:28of the user logged into the computer.

4:31If the user has administrative permissions

4:33over everything, guess what?

4:35So does the virus.

4:37That means it can spread and infect everything.

4:40And this virus could be malware, it could be ransomware.

4:42Who knows?

4:43It's something that we don't want in our environment.

4:46And again, principle of least privilege.

4:49So if this user only had permissions,

4:53let's change this up here.

4:55If this user only had permissions in all these things

4:59to these files over here, well this malware, virus,

5:03or ransomware could only access those files.

5:05It couldn't access or do anything else

5:08to the rest of our resources.

5:09And that is ideal. That's what we're looking for.

5:13So not only does it protect against things

5:15like insider threats, it also protects against malware,

5:18viruses, ransomware, et cetera.

5:20So again, least privilege helps to protect our environment.

5:24And too much privilege introduces risk.

5:29And we've talked about risk before and managing risk

5:32and risk is something that we in information security

5:35are always looking to reduce.

5:38We need to keep a handle on risk.

5:41And one of the ways that we can do it

5:43is practice principle of least privilege.

5:46And yes, there's always going to be risk,

5:48but we need to manage our risk.

5:50We don't wanna let it run free.

5:52We wanna manage it when we have the opportunity to do so

5:55and to minimize it by doing things such as,

5:58again, practicing principles of least privilege.

6:02And now onto segregation of duties,

6:04also known as separation of duties,

6:09is the idea that we don't want any one person

6:11to have too much authority so they can carry out

6:15a sensitive process all on their own, okay?

6:18Now, why would we want to do this?

6:20We wanna prevent someone from being able to take advantage

6:23of that situation.

6:25And let's go ahead and talk about some examples here.

6:28So one example is, think of accounting and payroll.

6:33Does the person who enters payroll data

6:36into the accounting system approve the paychecks?

6:40Probably not.

6:41Because if they did, let's say this person here,

6:45they entered the payroll information into the system

6:48and they approved the payroll so that the checks can go out,

6:53well, they could pay themselves or anybody else,

6:55whatever they wanted to, right?

6:56Absolutely. What's to stop 'em?

6:59Well, an auditor would catch them doing this eventually

7:03if auditing was being done.

7:04But by that time, it's already done.

7:07Alright, let's talk about another one.

7:08How about expense reports?

7:11With expense reports, does the person submitting

7:13the expense report also approve the expense report?

7:16Well, again, probably not,

7:18because if this person submitted an expense report

7:21and approved the expense report,

7:25they could expense anything they wanted to.

7:27A vacation. Hey, there you go.

7:30How about a vacation or a big old TV

7:32or something like maybe, I don't know, a boat or something.

7:35Who knows?

7:36They could put anything they wanted to

7:37on that expense report and approve it

7:39because they're the only ones seeing it.

7:41And again, you see what we're finding here

7:43is a single person having too much authority or permissions

7:49and they're able to take advantage of a situation.

7:52And this is something we're trying to avoid.

7:54That's why we have segregation of duties.

7:57Now, these are a couple examples of non-IT systems.

8:01What about examples when it comes to IT systems?

8:04Well, let's talk about data backups.

8:07That is a very important job.

8:11And if we have a backup admin over here,

8:14so this is our backup admin who is in charge

8:21of doing all the backups and performing test restores

8:24and making sure that everything with our backups

8:26is working successfully.

8:29Hey, that's great.

8:30Now, but what about when it's time to audit these backups?

8:34Because we should be performing audits, okay?

8:38And that's because we wanna make sure

8:40things are being done properly.

8:41We want to ensure that our backups are successful,

8:44that we are actually doing test restores.

8:47These are all things we should be doing,

8:49and that's what the audits are there to ensure

8:51are being done.

8:52However, if the backup admin takes care of things

8:56like the backups, okay, and test restores,

9:01and we want to audit this to make sure they're being done,

9:04would I assign the backup admin as the auditor for this?

9:08Well, no, I wouldn't because then the person doing the work

9:12is the one auditing the work.

9:14And that is a conflict of interest.

9:18And that's why we need to ensure it is someone else,

9:21maybe a third party.

9:23So it's someone other than the backup admin,

9:26it could be even somebody who's not in IT.

9:29And that's because we need to ensure

9:32that these backups are being done properly

9:35and our test restores are being done properly as well.

9:38And that requires someone else performing the audit.

9:42We don't want the same person auditing the work

9:44that they are doing.

9:45That just does not make sense.

9:47That's known as a segregation of duty. We segregate that.

9:51You got the person doing the work over here

9:54and you've got the third party auditor over here.

9:58And that's a prime example of using segregation

10:01of duties within IT systems, alright?

10:04So this is why we practice segregation of duties.

10:07It's important to information security and it helps us,

10:11that's right, reduce risk.

10:13Because if you think about it, if you've got

10:15that backup admin over here doing the backups

10:18and they're not doing the backups properly,

10:21our backups are failing and we're not doing test restores.

10:26We don't even know if the restores are gonna work.

10:28If we do not audit and find this out, guess what?

10:32When there is a problem, we have a serious incident

10:37on our hands because the risk is through the roof.

10:41Because we're not auditing,

10:42we're not finding these things out,

10:44and we're gonna be up the creek without a paddle.

10:47And that is not a place you wanna be my friends.

10:50So again, we're reducing the risk of our own personnel

10:54taking advantage of situations to gain something.

10:57So if we practice the segregations of duties,

11:00it's gonna help us make sure that this doesn't happen

11:03and it's going to lower our risk.

11:07Absolutely jump for joy. (laughs)

11:10All righty, so that is segregation of duty.

11:12I hope it's been informative for you

11:13and I'd like to thank you for viewing.

0:01<v ->When we talked about risk, one of the ways</v>

0:03that we could deal with risk was to mitigate it

0:06or fix the risk.

0:08And one of the things we can do to fix a risk

0:11or kind of mitigate it

0:12and minimize its likelihood of happening,

0:16is to implement something called security controls.

0:18And that's what we're gonna talk about right now.

0:21So the question is, what are security controls?

0:24Well, security controls are safeguards and countermeasures

0:29that we can put in place to reduce risk.

0:34The security controls attempt to control the outcome

0:38of a specific event.

0:40And again, it's all about reducing risk.

0:44So let's spend a couple minutes talking about

0:46what kind of controls we could use in a day-to-day life

0:50to reduce risk.

0:51Well, do you have a security system like this here

0:56in your home or business?

0:57Well, you may, many of us do.

1:00And we use these to secure our home to prevent people

1:05from breaking in and stealing our goods.

1:07Because when they break in and the alarm goes off,

1:10it scares them away.

1:12Okay, and then it alerts us,

1:14hey, someone broke into your house, something's going on.

1:17You need to call the police. You know, take action.

1:19So this is a type of control to prevent theft of our goods.

1:25Another example right here, warning lights.

1:28So if you get into your vehicle and you start it up

1:31and you get a warning light on your dashboard

1:34in your vehicle, let's say, well guess what?

1:38There might be something wrong with your vehicle

1:39and you need to get it taken care of

1:41before it causes damage.

1:43So this is a type of preventative control.

1:47Or maybe you use credit monitoring

1:50to detect and prevent bad guys from using your credit

1:56to purchase various goods, right?

2:00Because it helps us to identify suspicious activities

2:03with our finances or credit.

2:05And these are kind of everyday controls that many of us use.

2:11So I'd say at this point we understand what controls are.

2:14You know, the role that they play in security.

2:16So let's talk about some ways to reduce risk associated

2:20with some specific threats.

2:22So let's play a game. Let's play match three and win,

2:26alright, so here's what we're dealing with.

2:29We have human error over here.

2:31We've got viruses and malware, insider threats,

2:35and a stolen laptop.

2:37And over here we have some controls that we can use

2:42to help prevent specific risks from happening,

2:46or at least reduce the risk associated with them.

2:49So let's start with human error over here.

2:51So with our human error,

2:54which of these controls over here on the right

2:57do you think would help us to reduce human error?

3:01So we have file permission.

3:02So those are permissions allowing authorized individuals

3:06to access files.

3:08We have, that's our file permission.

3:10We have drive encryption over here.

3:12So this is where we encrypt a hard drive

3:15and the data on it so that if the drive was stolen or lost,

3:20that the data on it would remain confidential,

3:23the bad guys couldn't get at it.

3:25Okay, then we have security awareness training over here,

3:28and this is where we train our users

3:31so that they can make good decisions

3:33and not make errors by clicking on things

3:35that they shouldn't or opening files that they shouldn't.

3:38Then we have endpoint protection.

3:40This is like your antivirus or your anti-malware

3:43or endpoint detection and response software

3:45that runs on our endpoints.

3:48It could be our servers and our laptops

3:49and our workstations that keeps viruses and malware at bay.

3:54So we're starting off with human error.

3:56Which one of these over here on the right would allow us

4:00to reduce the risk of human error?

4:02So what do you think about this?

4:04Well, file permissions aren't gonna prevent human error,

4:08nor is drive encryption.

4:09But security awareness training that is going

4:13to allow us to train our users so that they can understand

4:18the do's and don'ts of security

4:20and reduce the likelihood of human error.

4:23So there you go. Security awareness training.

4:25All right, that's the first one.

4:27Next up is virus and malware.

4:31So what are we gonna do with virus and malware?

4:34Well, security awareness training is out,

4:36we've already chosen that one.

4:37So let's see, file permissions, that's users accessing it,

4:41drive encryption, it's controlling access

4:44to our data on our drives.

4:46Okay, but endpoint protection, that was our anti-malware

4:49and antivirus.

4:50So there we go. Endpoint protection.

4:54Alright, let's talk about the next one.

4:56This is insider threats. Ooh.

5:00So when it comes to insider threats,

5:02would it be file permissions or drive encryption?

5:05Well, file permissions is going to allow us to

5:08practice access control so that our individuals,

5:12our employees and folks only have access to what they need.

5:15They don't have access to everything.

5:16So that would help protect against insider threat.

5:20There you go.

5:21And then last but not least,

5:23a stolen laptop right over here.

5:26So what are we gonna do to protect the data

5:28on a stolen laptop?

5:29Well, we only have one option left,

5:30and that's drive encryption.

5:32So let's go right over to drive encryption.

5:33And remember, if we encrypt our hard drive

5:36and someone steals the laptop with a hard drive in it,

5:38they're not gonna be able to read the data.

5:40So that is it. So match three and win, guess what?

5:43We matched four. I hope this has been informative for you,

5:46and I'd like to thank you for viewing.

0:00<v ->So now that we know what security controls are,</v>

0:03and we understand that we use them every day,

0:05even in our normal everyday lives,

0:08not only in information security,

0:10well, we're gonna focus now on the information security,

0:13based security controls,

0:14and more specifically, the three different categories

0:18that we use to categorize security controls.

0:20So let's get started.

0:22So when it comes to security controls,

0:24we have three main categories,

0:27and that is administrative, physical, and technical.

0:35Those are the three primary categories of security controls.

0:38And now, we're gonna dive into each one and discuss them,

0:40starting with administrative security controls.

0:44So starting off,

0:45we're talking about administrative security controls.

0:47Think of this as administrative,

0:50thinking of reports and paper is involved.

0:53You're writing things out and you're reading things, okay?

0:56We're not necessarily configuring firewalls or antivirus

1:00or putting out anything to help protect access to something.

1:04This is more based on things

1:07around administrative types of work.

1:09Now, for example, an audit.

1:12An audit would be a type of administrative security control.

1:16You got these two folks down here performing audit

1:19on some data.

1:20And another example is the reviewing of file permissions

1:26where we're checking people's permissions

1:28to make sure they only have the permissions that they need.

1:30Because within our organization,

1:32we've got lots of people that work there,

1:34and people change roles.

1:37They move to different departments.

1:39And the thing is, when they do this,

1:42well, their needs for permissions often change.

1:45So we may add permissions to some users,

1:48but oftentimes, we forget to take away permissions

1:50that they no longer need.

1:51So that's where file permission reviews come into play.

1:55We're really trying to make sure

1:56that we practice least privilege,

1:59like we previously discussed.

2:01Another type of administrative security control

2:03are policies.

2:04We've talked about policies,

2:05and along with policies come our procedures,

2:09and along with policies and procedures come standards,

2:13and these standards outline requirements

2:17that we want to follow.

2:18And we could document those

2:20within our policies and procedures.

2:23And then lastly, something called a baseline.

2:27Now, what a baseline is,

2:28is these are standard settings, so we'll put that down here.

2:32These are standard settings

2:35for various objects such as servers and workstations

2:38and smartphones and network devices.

2:40You know, the list goes on and on and on.

2:42Think of a baseline as a recipe, okay?

2:46So if you were to bake a cake and you followed recipe,

2:49and you know you put one cup of this

2:51and one teaspoon of this,

2:53and two tablespoons of this and four cups of this,

3:00and you put all these together,

3:01and out comes a wonderful cake

3:03that tastes absolutely beautiful.

3:05Okay, well, if you wanna reproduce that,

3:07you're gonna follow this same recipe.

3:09Well, that's what a baseline is

3:11when it comes to the devices within our environment.

3:15They're a group of standard settings.

3:18And we do this because when we deploy these devices,

3:21let's say we're deploying workstations,

3:23we want them to all be deployed the same way.

3:26And that's why we want to use a standard way of doing this.

3:30It ensures conformity and it reduces human error.

3:36Because if we have this baseline,

3:38and it's like a checklist here,

3:40where we've got all the things we need to do,

3:42when we deploy this workstation, let's say,

3:46we want to make sure that we join it to a specific domain.

3:49We wanna make sure that we configure certain settings

3:52on it, okay?

3:53We install antivirus on it.

3:54We do this to it, and we do that to it.

3:56That way, as we deploy multiple of these devices,

4:00they're all the same

4:03and they're meeting our organizational standards.

4:06And that's what a baseline is, that's what it does for us.

4:09And not just workstation, though.

4:11We're talking about servers and network devices

4:13and smartphones and tablets,

4:14and you know, the list goes on and on.

4:16It could be for anything that we deploy.

4:18So that's the baseline.

4:19So there you go.

4:20Those are some different examples

4:22of our administrative security controls.

4:24Let's talk about auditing and file permission review,

4:28and, of course, policies, procedures, standards,

4:30and baselines as well.

4:33So that's our administrative security controls.

4:36Next is our physical security controls.

4:38And think of this as physically protecting our assets.

4:43So when it comes to this,

4:44we might use something like a man trap,

4:47or it may be called a person trap now.

4:51But the idea here is that only one person can enter an area

4:56at a time.

4:57So like this person, goes ahead and types in this code here,

5:00and it goes into this contraption here,

5:03and the door closes and then the other side opens.

5:06But this way, only one person can enter at a time.

5:10You can't have two people in there.

5:12There's sensors in here that are checking

5:14to see if there's more than one person

5:15before opening the door on the other side.

5:18And this prevents something called piggybacking.

5:20And that's where one person will type in their code

5:24and they'll go ahead and walk in,

5:25and a second person will walk in before the door closes.

5:29Now, this man trap here, this prevents that.

5:32But if you think about a general building,

5:35and it's got a door there and maybe a keypad here,

5:37and somebody types in their digits

5:39and their door opens and they walk in,

5:41well, somebody coming up behind them can catch the door

5:44before it closes and let themselves in

5:47without putting their code in,

5:48and that's known as piggybacking.

5:49And that's what a man trap or a person trap prevents.

5:52Well, you know what else can help secure our building

5:56would be a guard, like this here.

5:58The guard's gonna sit there

5:59and make sure the only authorized personnel can come in.

6:02Another option would be security badges.

6:05So we've got a badge here, and it may be a proximity badge.

6:09And those are badges that when you have a badge reader

6:13outside of a door,

6:14you hold it up to the badge reader

6:15and it reads your credentials on there and it lets you in.

6:19Other examples of physical security controls

6:21would be fences.

6:22So you may have fences outside your building

6:25and maybe there's even some razor wire across the top

6:27because you have sensitive material inside

6:29and you wanna protect it.

6:31It could be lots of different things.

6:33It could be on the driveway going into the building.

6:36Maybe in front of the building,

6:38there are these little pylons

6:39that are there and they're metal

6:41so that you can't drive into the building,

6:43and they protect access into the building.

6:46And it could be a receptionist

6:48that's sitting in the building,

6:49could be lots of different things.

6:50So what we're talking about is physical security,

6:53and all of these are examples of that.

6:56And lastly, we're gonna talk

6:57about technical security controls.

6:59Now, this is where we're thinking about configuring things

7:01like firewalls and antivirus, and so on and so forth.

7:04So these are technical devices

7:07that help protect our digital assets,

7:10such as here, we have a firewall as an example, absolutely.

7:15We could have an intrusion prevention system.

7:18That's going to analyze data

7:19as it comes into our environment

7:21and check its digital signature to see if it is malicious.

7:25And if it is, well, it will stop it from entering,

7:28and that's what an IPS does.

7:30We also have encryption

7:31because we encrypt our data

7:34to protect it from unauthorized access.

7:37People can't read it

7:38if they don't have the proper encryption keys

7:40to decrypt and read that data.

7:42We also use things like session timeouts.

7:46And this is where you have a computer

7:47and you're sitting there working on something,

7:49and you get up and walk away to go get a snack or something,

7:53and you're over there chatting with somebody

7:54at the water cooler and you're gone for 15 minutes.

7:57Well, maybe after five minutes of inactivity,

8:01your screen locks

8:02so that you have to reenter your credentials

8:05before you're able to gain access to the computer again.

8:08So that would be like a session timeout.

8:10We could also use password aging or password rotation,

8:15and this is where once your password reaches a certain age,

8:18could be 90 days,

8:20or let's say it could be 180 days, whatever it might be.

8:23Within your company's policies,

8:25you're going to have to change your password

8:27every so many days.

8:29And again, that's to prevent us

8:30from keeping the same password for years on end,

8:33which increases the risk of that password being compromised

8:37or exposed in some way.

8:39And then lastly, along those same lines is account lockouts.

8:43So if we have, let's say, five failed login attempts

8:48within a 10-minute period,

8:51well, maybe the account locks out

8:53and you have to call the help desk to get it unlocked.

8:54And what this does is helps prevent

8:56against brute force login attacks,

8:59trying to guess people's passwords.

9:01So again, account lockouts are definitely another type

9:04of technical security controls.

9:06So that is our technical security controls.

9:09So again, we talked about the administrative security

9:13controls, our physical security controls,

9:16and lastly, our technical security controls.

9:19And those are the three different categories

9:20and some examples of each of them.

9:23I hope this has been informative for you,

9:24and I'd like to thank you for viewing.

0:00<v ->All right, we're gonna wrap up this series of Nuggets</v>

0:04by discussing some other security concepts,

0:07such as performing periodic assessments,

0:10carrying out audits,

0:11and something called due diligence and due care,

0:14and we'll discuss what those are and how they differ.

0:17So with no further ado, let's jump in and get started.

0:20All right, so we're gonna start off

0:22by talking about assessing compliance.

0:24And within many fields of business,

0:27there are needs to comply

0:28with regulatory standards and laws.

0:32For example, if you produce a product,

0:34and during that process of creating that product,

0:37you end up with some wastewater.

0:39So say, we've got a barrel of wastewater here.

0:42Well, we can't simply go and pour it down the drain.

0:45That's just not acceptable according to the EPA

0:48or Environmental Protection Agency here in the US.

0:52So what are we gonna do with it then?

0:53Well, I don't know.

0:54We gotta figure out what the EPA says we need to do with it.

0:56And again, this goes back to standards and laws.

0:59And no matter what area of business that you're in,

1:03whether you're in financial or you're in aerospace

1:06or you build widgets, really doesn't matter,

1:08most times, we have to abide by some type of standard

1:12or law.

1:12So most companies will need to comply

1:15with some sort of rules and regulations

1:17in order to ensure a company is conforming

1:18with those laws and regulations.

1:21And oftentimes, we perform a self-assessment,

1:25and that's where we go and we take a look

1:26at those standards and laws that we need to comply with

1:29and we go through and check off to see how we are doing.

1:33And so we'll have someone inside the organization do that.

1:36That's why it's called a self-assessment.

1:38Generally, it's not someone from outside the organization

1:40that comes in and does an assessment like this.

1:42And we do this to make sure that we are in compliance,

1:46we're meeting the requirements of the laws and standards

1:49that are put forth.

1:51And when we do these, the cost of it is relatively low,

1:55and that's because we're using internal personnel,

1:58and they're already familiar with what we do as a company,

2:01and we don't have to provide them access.

2:03They already have the access.

2:04So that's where that low cost comes into play.

2:07Now, one of the other things

2:09other than standards and laws and regulations

2:11that we should be assessing are our security controls.

2:16We need to go through our security controls

2:18that we have in place,

2:19and we need to perform assessments

2:21to make sure that those security controls are performing

2:24as they should.

2:25They're providing us the protection that we need from them.

2:29So that is assessing our compliance.

2:31Next step, we're gonna talk about periodic audits

2:34and reviews.

2:35Now, an audit is more of a formal assessment of compliance,

2:41and it could be compliance with a specific standard or law,

2:44or it could be an audit of our security controls,

2:48either way.

2:49And generally, this is going to be an outside person.

2:52So someone from outside of organization,

2:54and they are gonna come in and perform our audit for us

2:59and let us know how we're doing.

3:00And when we're auditing security controls,

3:03there's something that we need to talk about.

3:05So let's put those security controls back up here.

3:08When we're auditing against our security controls,

3:11we need to have something known as a baseline.

3:15And a baseline, when it comes to auditing

3:17and security controls,

3:18is going to be data showing how that security control works.

3:23So for example, if we had a firewall here,

3:26let's just draw out a little firewall.

3:28And a baseline for a firewall would show

3:30what ports or IP addresses are allowed to go

3:35through the firewall.

3:37And that way, we could test it.

3:39I could take an IP address that's not supposed to be allowed

3:42through the firewall,

3:43and I could try to access it.

3:45And if it's not able to go through,

3:46then I would know

3:47that security control is functioning properly.

3:50And then I would want to pick one that is allowed through,

3:53and I'd wanna test it

3:54to make sure that that security control is allowing in

3:56that through as it should.

3:58But you'll see here,

3:59if I as an auditor come in and I need to test something,

4:02I need to have something that tells me

4:04how that is supposed to work, and that is the baseline.

4:08Because if I don't know how it's supposed to work,

4:10then how do I know if it is going to pass or fail the audit?

4:16And the IT team is going to provide that baseline

4:20to the auditor.

4:21And they're also gonna have to provide the auditor access

4:23into whatever they need access to

4:25in order to perform their auditing.

4:27So there is a higher cost when it comes to an audit,

4:30generally, because we're dealing with an outside individual

4:33that has to be paid accordingly, as well as our IT staff.

4:37They have to provide them access

4:39and create and provide a baseline for them

4:41so they can perform the audit.

4:43And there is an added bonus when it comes

4:46to having an outside individual perform the audit,

4:50and that is that that person has nothing to gain

4:54from a control working properly

4:57or not working properly, right?

4:59Whereas if we had an internal person performing this audit,

5:02they may feel pressures from the board

5:05or from their managers or from whoever it is

5:08to say that everything is working hunky-dory, right?

5:11Absolutely, there could be internal pressures like that,

5:14but an outside individual

5:16most likely isn't gonna have those pressures.

5:18So you're more likely to get an honest review

5:22of your security controls

5:23and compliance with laws and regulations.

5:26So that's our periodic audit and review.

5:29And next up, we're gonna talk about due diligence.

5:33Now, what does that mean?

5:34Well, what due diligence really comes down to

5:37is putting forth the effort to understand your information,

5:43your organization, your information security policies,

5:47procedures, and knowing your environment.

5:49So it comes down to a really a key word, understand.

5:53I'll put in here also, know, to know.

5:56So really, due diligence is the effort you put forth

5:59to understand, to learn about,

6:02to know about your organization or what you're protecting,

6:06such as your data.

6:07What type of data are you working with?

6:10Or types, I could put in here,

6:12because there's multiple types of data.

6:14What laws surround your data?

6:17Where your data is located?

6:20These are all things that you need to know about your data,

6:24and that is due diligence.

6:25Due diligence is putting forth the effort,

6:28again, to understand, to know,

6:30to learn about what you are responsible for.

6:33And here, we're talking about data.

6:36So that's due diligence.

6:37Let's talk about due care.

6:39Due care is a little bit different.

6:42Due care comes down to action.

6:47Due diligence was all about learning

6:49and knowing and understanding.

6:51But due care is about what actions you take to do something,

6:56like monitor your data,

6:59to protect your data so that if there is an incident,

7:03you are able to manage your data

7:05and make sure it's available and protected.

7:08Now, when it comes to due care and due diligence,

7:10this isn't only information security-related.

7:13This comes down to everything in your organization.

7:16But we're talking about data and protecting our data.

7:19So if we talk about due care of data protection,

7:22we would wanna make sure that we're monitoring,

7:24we're protecting it.

7:25We have firewalls, we have other kinds of things.

7:28We have endpoint security.

7:30We're performing backups of our data.

7:34We're managing access control for our data.

7:38And these are types or examples of due care

7:41when it comes to managing data.

7:43So again, due care is all about action.

7:46Now, let's take an example here

7:48of due diligence versus due care,

7:51and this is all about owning a dog.

7:55So over here, we have a Wikipedia down here.

7:59So this is using a Wikipedia to learn about something.

8:04Over here, it looks like we're doing some researching

8:06and asking questions.

8:07So here, obviously, we're not doing a whole lot

8:11other than research.

8:13All right, so we're learning over there.

8:15And then over here, we have a dirty dog

8:17that needs to be cleaned.

8:18We need to take our dog for a walk,

8:19and we need to make sure the dog doesn't get into trouble.

8:22So over here, these are more action items.

8:25So over here, we have learning.

8:27And over here, we have actions.

8:30Now, which is due care and which is due diligence?

8:34Well, due diligence was putting forth the effort

8:37to understand or learn about something.

8:40So obviously, due diligence is this activity down here,

8:45whereas due care was all about action.

8:48So that goes right over here into our action.

8:51So there's a good example of due care versus due diligence.

8:55I hope this has been informative for you,

8:56and I'd like to thank you for viewing.

0:00<v Instructor>It's validation time,</v>

0:01and we're gonna validate the information

0:04that you learned during this skill,

0:05and we talked about security controls,

0:08and here your manager assigned you a task

0:10coming up with two security controls

0:12that you can implement at your organization

0:14to help protect your data backups.

0:15So what two did you come up with?

0:17I'm gonna go through the four

0:18that I came up with very quickly.

0:21The first one is going to be an audit or assessment.

0:26Performing audits and assessments would help us make sure

0:29that data backups are being performed

0:31and according to the way they're supposed to be performed,

0:34whether it's every night or every other day,

0:37just depending on what's going on in the organization.

0:40So an audit or assessment, that's a great thing to do.

0:43Next would be performing a test restore.

0:47So we got our little scientist over here

0:49doing some type of experiment.

0:51The idea is we wanna take our backup data there

0:54and we want to restore it somewhere

0:56to make sure that our backup applications

0:58and procedures are working properly

1:00so that we know when it's time to restore

1:02if we need to for some reason that we can.

1:04Another one would be to store backups offsite.

1:09And the idea here is maybe we have all of our data over here

1:12and we wanna back it up to the cloud or to another location.

1:16That way if there's some type of breakout,

1:18whether it's ransomware or some type of infection,

1:20and it infects our local storage,

1:22well, it's not going to infect our offsite backups.

1:26So keep that in mind. That's a good option there.

1:29And then lastly, we're gonna go back

1:31to our administrative types of security controls.

1:35And we're talking about mandatory vacation.

1:39That's right, if our IT folks have to perform

1:42or experience or enjoy, let's put it that way,

1:45a mandatory vacation, somebody else fills in for them,

1:47and again, we're getting a second set of eyes

1:49on the backend at that point in time.

1:51So those are four different types of security controls

1:55that we could implement to make sure

1:56that our backups are being performed correctly,

1:59that our backup procedures work correctly,

2:02that our software and hardware's working correctly,

2:05and that we're protecting our backup data

2:08from security threats.

2:10So there you go. Hopefully you had at least one of these.

2:13If not, cool. You know what?

2:14There's lots of different controls you can implement.

2:17These are just a couple of them

2:19for us to take a look at and discuss.

2:21Congratulations on finishing out the discussing ethics

2:25and security concept skill.

2:27I hope this has been informative for you,

2:29and I'd like to thank you for viewing.