To Rev 5 & Beyond

00:00

so welcome to less than 1.6 where we're gonna go from two revision five and beyond. And just talk about the current revision, and then I should look at anything passes you understand how to assess it for your organization.

00:14

So for this lesson, we're gonna look at some of the major changes for red five. Describe the reasons why we needed a new revision. Interpret how an organization should implement red five. So just give some high level of idea of how it should be done

00:30

and then kind of talk about how we address rapidly changing technology as we've seen, and how this life cycle of the document may not always keep up with the technology.

00:41

So think about how much has changed since ready for in 2013. So at this time six years ago, ever since then, everything's connected your refrigerator, your smoke detectors as doorbells. Now everything has an embedded processor. Code is open, sores start moving to virtualization.

01:00

And my bullet, I just said, is not already

01:03

not up the technology because we started moving away from virtual ization into container, like why do we need virtualized a whole system when I could just spit up a doctor, a doctor instance, And it just does what I want. It's it's up for a couple minutes and then it goes away and, like, How do we

01:18

this contract? We take these controls? How do you even apply to assistant? That's Onley online for, say, three minutes. You may be expecting your

01:26

ah virtualized instance to come up and install ages to take five or 10 minutes. And if you waited for all that that could, the system would already been offline. So we need to again figure out ways to address this technology. And then, of course, the cloud. And where is your data? Even store? We say it's in.

01:42

We have a system. But what does that mean? Is it replicated outside your country?

01:48

Does that matter to you?

01:49

There's a lot of really going on that needs to be addressed.

01:53

Azi mentioned for red five. It's gonna take the privacy controls and said, keeping them separate. They're actually gonna integrate them in because they thought that was important enough.

02:01

And they're gonna transition away from information system to system because again, information system doesn't doesn't always make sense. Now. I have this Internet of things device. It doesn't store any data. It just processes it. So is an information system. Not really, because there's no information. It's sending it on somewhere else

02:20

on there, also incorporating the cyber security framework, which is a whole nother topic we can't go into. But if you go out and search on that, there's a lot to discuss it now.

02:31

So the other topics they incorporated they mentioned is the Internet of things. That's all these diet devices, the camera to smoke detectors, the doorbell, things like that, or but within the organization might be environmental controls any of that

02:46

cloud computing mobile devices again, the physical systems. We didn't think about that for the longest for the longest time. That's important. These industrial control systems, these embedded controls or these modules that you may not be able to update. They may not have the security feature that you need, and you have these

03:02

requirements that say, you must do this. How do I do this on the system that I can't even update or

03:07

performed these functions? How doe I mitigate those controls?

03:12

They also wanted you to start relations to look at state of the practice involving threat intelligence like I mentioned before, is what other threats out there specific to my organization and my financial Am I

03:24

health care, anything like that? What? What are what are these threats out there? What these threat actors that really are going to infect our sorry affect my system

03:37

and then going beyond red five, the in red five and really everyone of the revisions save the controls have been in hands. Sometimes they've withdrawn them something added new ones. They change the supplemental guidance. That language changed a little bit,

03:52

they said. There's this couple year life cycle where they're with it, where they come out with a new revision.

03:58

Andi, it's difficult. They mentioned to really capture the technology. So what does this say you should do? The best way is to tailor your controls to address the technology. We'll talk a little bit later about it, but they've in all a lot a lot of the controls. There is these organs organization to find variables. What they call it

04:17

is it.

04:17

They give you the chance to say what it means, so they'll give you the framework of it. But allow you to make it specific. So this is

04:26

the best way to work on new revisions. Or, I said, within revision changes as well. And miss, give it a

04:35

suggested methodology. It's very high level, but they're really when they want to do is say, take a look at the new revision. Are the new controls, they added, applicable to your system? If they are, maybe you want to roll them in or, you know, add some of them without one do you want, or the ones that are that makes sense. Then take a look at the supplemental guidance

04:54

changes applicable if they are

04:57

decide what is the risk of not including that in there, because there's always the balance of redoing everything. Redoing your accreditation for this new revision isn't worth what you're actually doing. Time in the money you're spending in that. Are you really getting in war Secure system? It's back to their idea about compliance vs

05:15

security, which balance and find what's really the best

05:18

effort that you're gonna put into securing your system.

05:21

And what they suggest is integrate to changes into your continuous monitoring strategy. So maybe you don't have to put it into your document are your security plan. You might not have to actually implement the controls, but you have if you have ah, really good continuous monitoring strategy out there and you have a way of testing the controls implemented into that

05:41

and then spend time looking through the revision

05:44

to see how it's applicable

05:46

claims that there's a lot

05:46

to that. It takes two.

05:49

Go to a new revision, especially if you're using software for keeping the controls. For a manager of your poems like that, that all that has to be updated.