The CISSP Mindset: Part 1
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Our next section, I want to talk to you a
00:00
little bit about the CISSP mindset.
00:00
I have so much to talk about it.
00:00
We've had to divide it into Part 1 and Part 2.
00:00
But quite honestly, in my mind,
00:00
this is the absolute most important thing
00:00
I can tell you about this exam.
00:00
Certainly, we're going to cover
00:00
the material and make it make sense but
00:00
you've got to go into this exam with
00:00
>> the proper mindset.
00:00
>> We're going to break this up into
00:00
two sections just to go ahead and get started.
00:00
The first thing I want to tell you is
00:00
your role is a risk adviser,
00:00
do not fix problems on this exam.
00:00
That is the hardest thing in the world for
00:00
a technical person is to see a problem and not fix it.
00:00
Most of us are hired because we can fix problems.
00:00
But remember your role is a risk adviser.
00:00
Let me give you a tricky question.
00:00
Let's say I ask you or I give you a scenario.
00:00
Kelly has been with the company for
00:00
six months and she's been a difficult employee.
00:00
It's been determined that Kelly should be
00:00
terminated Friday at 10:00 AM.
00:00
What should you do Friday at 10:00 AM?
00:00
Now, guaranteed the vast majority of
00:00
people are going to say disable Kelly's accounts,
00:00
revoke her credentials, recover company property.
00:00
But the thing is, is that's not
00:00
what your risk adviser does?
00:00
That's what your security team does or
00:00
your security admin revoking credentials and so on.
00:00
As a risk adviser,
00:00
you make sure the appropriate parties are notified,
00:00
so your role would be to contact the
00:00
>> appropriate parties.
00:00
>> Your role would be to make sure
00:00
the proper policies and procedures are in place.
00:00
When is the last time you've had a risk of so
00:00
come down to the basement, disable an account?
00:00
That doesn't happen. It shouldn't happen
00:00
because that's a violation of separation of duties.
00:00
If you remember, this is a hands-off test.
00:00
Your job, collect information,
00:00
make an assessment of the risks,
00:00
advise senior management,
00:00
influence policy, those are fine.
00:00
But you will not touch things.
00:00
Anytime on this exam you find
00:00
yourself tempted to go hack the registry,
00:00
or you're going to disable an account,
00:00
or block a port on
00:00
a firewall or disable a user's access to a website,
00:00
those are all incorrect.
00:00
The focus on this exam is process, not problems.
00:00
I don't know if any of you have ever worked
00:00
for a company where you feel like you're just
00:00
running around putting out fire after fire.
00:00
That's not a long-term focus.
00:00
If you can't do your job for putting out fires,
00:00
that's no good to anybody.
00:00
On this exam, what we do
00:00
is we go back and look at the process.
00:00
If you fix the process,
00:00
the problems will take care of themselves.
00:00
I'm not worried that John has a malware on his system.
00:00
I'll re-image that system and
00:00
bring it back to normal in no time.
00:00
What I'm worried about is how did
00:00
that system get malware in the first place.
00:00
Do we have a lapse in our change management
00:00
or configuration management processes?
00:00
Where is our vulnerability?
00:00
That is your focus and that's the piece that
00:00
I think messes a lot of very good technical people up.
00:00
We want to fix things, hands-off,
00:00
backup, collect information, advise senior management.
00:00
Don't forget it.
00:00
Now the second bullet point,
00:00
who is accountable for security?
00:00
We have to address the fact that we have a word
00:00
accountable and another similar word, responsible.
00:00
Sometimes those words get used interchangeably.
00:00
But on this exam, as it should be,
00:00
accountable means the buck stops here.
00:00
Usually, when we talk about accountable,
00:00
we're talking about senior leadership.
00:00
We're talking about the folks that have
00:00
liability associated with the loss of assets.
00:00
Now, something tricky is they may also say accountable
00:00
or ultimately responsible or
00:00
who has the ultimate responsibility.
00:00
Anytime you see that word,
00:00
ultimate, senior management,
00:00
accountable, senior management.
00:00
But who is responsible?
00:00
Not ultimately responsible, but responsible.
00:00
All of us have
00:00
a responsibility with information security.
00:00
But senior leadership is accountable,
00:00
also known as ultimately responsible.
00:00
Next question. I love this question.
00:00
How much security is enough?
00:00
I think we've all heard,
00:00
you can never have enough security.
00:00
Or you absolutely can have
00:00
enough security and you can
00:00
absolutely have too much security.
00:00
For instance, if I were to ask you all,
00:00
how many of you have a retina scan
00:00
in order to walk into your home?
00:00
My guess is not many of you.
00:00
Well, why not? Well, they're expensive.
00:00
I would have to purchase the device,
00:00
I would have to reconfigure the entranceway,
00:00
not to mention the money
00:00
is one thing but think about the effort.
00:00
Think about the fact that,
00:00
I've got 17 bags of
00:00
groceries in my hand because God forbid,
00:00
I make two trips from the car
00:00
and I've got these 17 bags of groceries
00:00
in my hand and
00:00
the biometrics scan of my retina
00:00
>> isn't working properly.
00:00
>> When we talk about how much security is enough,
00:00
what we have to do is find
00:00
that delicate balance of protecting our assets
00:00
without having costs so
00:00
high that they exceed the value of our assets.
00:00
Now the tricky part there is that
00:00
it can be hard to
00:00
determine the exact value of your assets.
00:00
But we can also have a difficulty
00:00
in quantitatively defining costs of controls.
00:00
Of course, I can give you
00:00
the dollar amount for
00:00
a retina scanner to get into your home,
00:00
but we also have to factor in performance.
00:00
We have to factor in ease of
00:00
use and backwards compatibility.
00:00
You will always pay for security.
00:00
The question is, how much I'm willing to pay?
00:00
Because there's always a limit where if I cross over,
00:00
I'm spending more than the asset is warranted.
00:00
That's where risk management
00:00
and the fourth bullet point comes in.
00:00
Risk management starts with
00:00
identifying your assets and
00:00
figuring out what they're worth.
00:00
Always start there with
00:00
every decision you make and you can't go wrong.
00:00
What I'm protecting? What's it worth?
00:00
From there I look at threats and
00:00
vulnerabilities relevant to the asset.
00:00
I think about the potential for loss,
00:00
which means basically I take probability and
00:00
the impact of the risk event,
00:00
and then I compare that
00:00
to the cost of the countermeasure.
00:00
What I'm looking for is a positive
00:00
>> return on investment.
00:00
>> I want to save more than I put out.
00:00
We'll get much deeper in
00:00
debt when we look at the risk management section.
00:00
Then my last bullet point here with Part 1,
00:00
if all the answers seem good,
00:00
stop staring at the answers,
00:00
go back to the question.
00:00
Let me give you an example.
00:00
Let's say you see a question that says,
00:00
what is the purpose of classification?
00:00
A says to indicate harm if the file is compromised,
00:00
B says to indicate harm if the file is not available,
00:00
C says to describe the value of the data,
00:00
and D says to determine how to protect the data.
00:00
Now if you look at that question,
00:00
many people will say,
00:00
but all of those are correct because data
00:00
does tell me harm if that asset is compromised.
00:00
It can tell me the harm if the asset is not
00:00
available and classification does
00:00
give me an indication that the data is valued.
00:00
But I know I
00:00
can't choose all four answers so let me go back to
00:00
the question and the question starts with the word why.
00:00
Why means, what's the ultimate purpose.
00:00
When I ask myself what the ultimate purpose is,
00:00
the ultimate purpose of classifying
00:00
data is so that we can secure it.
00:00
Rarely is the ultimate purpose
00:00
>> to identify, to document.
00:00
>> Those happen,
00:00
but the ultimate purpose is
00:00
they mandate a certain degree of security,
00:00
which is really why we classify data.
00:00
Go back and stare at
00:00
the question if you
00:00
feel like all the answers are the same.
00:00
Find that key word that makes answer
00:00
>> D better than A, B,
00:00
>> and C. That was my first part of the CISSP mindset.
00:00
The next section is going to cover the second elements.
Up Next
Instructed By
Similar Content
