CCT 162: Decoding Data Roles in CISSP and Navigating NIST Guidelines for Cybersecurity Governance (Domain 2)

Unlock the secrets to mastering Domain 2 of the CISSP exam and navigate the paradox of the booming yet financially strained cybersecurity field. Despite the staggering 4 million global job openings, recent budget cuts and layoffs are reshaping the landscape. Learn how economic challenges are clashing with the rising demand for cybersecurity skills, the increasing pressures of governmental regulations, especially in AI security, and combatting the burgeoning threat of insider attacks. If you're gearing up for CISSP certification, this segment is packed with critical insights you won’t want to miss.

Ever wondered who the gatekeepers of your data truly are? We break down the crucial roles of data owners and asset owners, shedding light on their pivotal responsibilities within an organization. Referencing CISSP and NIST frameworks, discover how these high-ranking individuals play an essential part in data classification, access control, and lifecycle management. Our discussion emphasizes the vital importance of clearly defining these roles to maintain data confidentiality, integrity, and availability—cornerstones of robust cybersecurity practices.

Finally, get acquainted with the essential tools and roles that keep your data fortress secure. From asset management solutions like Intune to the meticulous duties of data processors and controllers, this chapter provides a thorough overview of effective data management. Learn about developing and implementing critical policies and procedures including patch management and usage guidelines. Plus, get the scoop on our new specialized CISSP mentorship program, designed to offer you personalized coaching and career guidance in your cybersecurity journey. Tune in for a comprehensive guide that will bolster your CISSP preparation and career development.

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go. Cybersecurity knowledge. All right, let's get started. Good morning, this is Sean Gerber with CISSP Cyber Training. Hope you all are doing wonderful this day.

Speaker 1: 0:33 

Today is another beautiful day here in Wichita, kansas, and I just can't complain whatsoever. Today we're going to be talking about Domain 2, domain 2 of the CISSP exam. We're going to be talking about domain two, domain two of the CISSP exam. We're going to go over some details around some awesome aspects as it relates to that specific area. But before we do, one thing I saw in the news that was interesting today was around the cyber skill gap. Now this is on infosecsecuritymagazinecom and I don't know if you all have been listening to the news and what some of the changes that have been happening around the world One of the things that has come up routinely, especially with the economy slowing down supposedly who knows what it is.

Speaker 1: 1:16 

There has been a cutback in relation to some of the cybersecurity workforces. More or less some people are getting laid off. Now this is interesting in the fact that they're getting laid off but they're not really going to have to wait long to get a job, because I was reading this article talks about how that's basically about 4 million people are looking for a job, where there's basically 4 million roles open around the globe for cybersecurity. So it's pretty amazing that you could basically leave a job and then just get one picked up pretty quickly. However, that being said, you obviously have to go through all the pain and suffering of trying to find a new role, but what they're saying is that, out of basically 92% of the professionals that they had dealt with that are in cyber right now still see that there's a strong skill gap within their organization and I've seen that myself where there's plenty of people that may be trying to learn cybersecurity, but they just don't have all the skills needed. I will even point fingers at myself in that. One of the weak points that I have is around AI and the cloud-based security. The good thing is there's other people that are much stronger than me that I work with that help me. But at the end of it is, I feel strongly that there's just a huge gap between what I know and what I should know and what I actually know.

Speaker 1: 2:37 

But the bottom line is that they're having various cutbacks and layoffs are impacting each of the cybersecurity sectors and I've seen this as well is that there are companies that are either having to do hiring freezes, budget cuts, promotions and raises are obviously are getting freezed, depending upon the economy and the business, and then there are obviously some layoffs. Then you look at this screen, you'll be able to see this on CISSP, cyber Training or actually on my YouTube channel a little bit later on, you'll be able to see that there's around a 30% change in organizations that are either dealing with budget cuts, promotion changes, layoffs and so forth. So there's a lot that's happening within the cybersecurity space. That being said, I know the Biden administration just came out with, at the time of this, recording a couple days ago where they're putting in place anything that deals with AI. The US government wants to know about any security gaps that you may have. So that's going to put another burden on our security workforces to ensure that they are able to get that information to the US government, and I assume that wherever you're listening to this, your government's probably going to want something very similar to that. They all kind of follow suit. When they see a shiny penny, they all gravitate towards it. So they go oh, that's a great idea, we should do that too. And that's what they do. They all then all like little lemmings, they all kind of chase the same thing.

Speaker 1: 3:59 

Now, an interesting also part is that they talked about that there's about 28% of cyber professionals reported layoffs elsewhere in their organization. I've seen that personally myself. That's occurred, whereas in the cyberspace it isn't so much in my roles but in other parts of the organization people were getting let go, which is just it's not good. It's not good for people, it's not good for morale. It's unfortunate, but it's business, it's not good. It's not good for people. It's not good for morale. It's unfortunate, but it's business, it's not personal. And that's the part that's really hard for some people to understand as well is just the fact that when companies have to do this, they don't do it because they don't like people. I mean, I guess there's probably companies that do that, but for the most part they don't do that. It is just business and they have to deal with the cost of that, but it doesn't help matters any when you're the one that's getting on the receiving end of that Big thing comes into.

Speaker 1: 4:48 

Those insider threats they said are on the rise and I've seen this personally myself is that there's more folks that are trying to basically, through their moonlighting options, through whatever it might be, are actually becoming a bigger threat for organizations. They're saying this is up close to 71% of the workload of people have increased and so, therefore, of the people they've asked as relates to this survey, 52% of them that responded said they've seen a significant increase in insider related events and incidents. So that's important that wherever you go with your CISSP, you need to make sure that you are focused on the insider threat issue. It will be a factor at whatever company you go work for. It doesn't matter how good the company is. There's going to be people that are going to take advantage of that.

Speaker 1: 5:36 

One thing the last thing I want to kind of go through is the lack of AI skills. If you're studying for your CISSP, obviously you want to expand your career and you want to learn more things. Well, the AI piece of this is becoming a bigger factor. Now, one thing I read that I thought was good is the fact that you do as a cybersecurity professional. You're in a much better position than you think you are. You may not know all of the details around machine learning languages, but you will. Based on your experience in security, you can do a really good job of helping mitigate some of the risks that can be brought on by these different types of technologies. So you have the skills, the chops, needed to be successful. But, again, ai is a big factor in what's happening around the globe and what the changes that you're seeing. All right, that's all I've got. You can check out this article Again. It's at InfoSecurity Magazine and it's about cyber skills and the overall gaps that they're seeing, by James Cooker.

Speaker 1: 6:35 

All right, let's get started on today's lesson. Okay, so today in this podcast, we're going to be going over the decoding, the data rules that are associated with CISSP and around some of the guidelines that you might see through NIST. So we're going to basically get into what are data owners, what are asset owners, what are data processors, controllers, custodians all of those pieces we're going to kind of walk through as it relates to the CISSP and things you need to be aware of. We're also, at the last part of this, going to be getting into the regulations that you may see as it relates to these different types of roles, so that you're aware of when you may deal with them Because, like GDPR, hipaa, they all talk about these a little bit differently. Okay, so when you're dealing with these roles, it is important for you to define these in a good way, especially when you're dealing with any sort of aspect of your organization, and it's important that, by doing this, that everybody understands the role that you're trying to accomplish with these specific data protections. And so, as it comes down to, we're going to go into each of these and I'll use an example of how this has been.

Speaker 1: 7:50 

One in where I've seen in the past that has been a bit of a challenge is that who actually is the data owner, who is the person, who is the administrator, who is the custodian and these terms. These are designed with the CISSP so that you have a consistent set of terms to talk about this within your organization, but when you get into companies, they will all talk about it a little bit differently, but I will tell you that in many cases, the data owner is probably the crux. It's the key factor that you need to really truly understand and you need to work through as a security professional within your organization, who is the data owner specifically for the data that you're trying to protect, and then with the CISSP, this is really really hard and I didn't say really hard, it's really challenging and you need to make sure that you're leading the overall data protection within your organization. People are gonna look to you to give them guidance and direction in this space, so it's important for you to understand it. It hence that's why it's taught in the cissp is because they they feel you should need to know it. It's also called out in nist, which is your national institute of standards and technology. They will talk about the various data roles that you may experience and it's a really good publication to walk you through the data, different data roles and how they would work within your organization, and it's all tied to the NIST cybersecurity framework. Now that framework, as you guys are well aware, that is changing. They have made some modifications to it that will be occurring here in the near future, but bottom line is the NIST cybersecurity framework is a really good framework, no matter where you're at, what country you're in and what geographical location you might be using. That framework is very helpful. Now, there's many other frameworks out there that you can use, but I feel we kind of come back to this one, mainly because the CISSP works very diligently in the NIST space. They do talk about the other frameworks that are available, but the primary one that is focused is the NIST cybersecurity framework, or 853.

Speaker 1: 9:54 

Okay, so we're going to get into the data owner. That's the first one we're going to start with and I talked about just a little bit in the preamble of this. The data owner is probably one of the most important roles that I have dealt with personally as it relates to the CISSP, but also for my data protection environments. So, as your data role, this is usually someone that's well high ranked within your organization. Typically, I've seen it where the CEO or the owner is the actual data owner themselves. They may delegate this responsibility to other people, such as department heads or managers within your organization, but it should be somebody very high up in your company that will understand the data itself, how important the data is, what does the data provide, and so forth.

Speaker 1: 10:39 

Now the responsibility around this person is. They will determine how sensitive this specific data is, and they will help you in determining the confidentiality, integrity and availability requirements of this specific data. Now, what you're going to have to do when you talk about data with this person is you're also going to have to help them understand where is this data stored, because you may end up having a different protection mechanism of this data depending upon its location, and what I mean by that is is it in a SaaS environment? Is it going to be within your business environment? Is it going to be in your manufacturing environment? Those are areas you're going to have to be aware of when you go and talk to this person. Whoever this person might be, they need to have the approving access or the approving authority for determining what happens with this data itself. So this is a problem I've seen time and again is that there is no real defined data owner and therefore, when you need decisions made around its protection, there's nobody there to actually prove it, because nobody knows that they have the decision rights to do that specific challenge. So it's important for you, as a security professional, to make sure that you define this right out of the get-go, right out of the beginning who is this data owner. Now, this also aligns with what the NIST cybersecurity framework talks about how identifying and protecting is an important factor in that framework, and by defining who this data owner is, you can identify and also protect the functions specifically defined as data classification and the control mechanisms that are defined around this specific person as well.

Speaker 1: 12:23 

Now we're going to get into some key responsibilities of a data owner. You may see this when you're in your CISSP. You may get the question of what is the most important role this person does, or what is one of the key responsibilities that this person may do. So here are some key responsibilities of this data owner. Now keep in mind, as I tantalize you right, that I'm going to dig deeper, but then I stop and I wait. Oh, no, not yet. No, the thing is is that you want to make sure that, as you're taking the CISSP exam, many of these responsibilities that I'm going to talk about with the data owners, the asset owners and so forth, they're very similar. So you need to use a constructive thought process as you're reading these questions to really understand what they're asking for.

Speaker 1: 13:06 

So the key responsibility of a data owner is one, obviously the classification of the data, understanding how to define the data's classification from a sensitivity, confidentiality and potential business impact to the organization. So right as an example, it could be where they determine if it's public, internal, top secret, secret. They're the person or persons it may even be a committee that make that decision, but they're the ones that will do that. They also will help you with access controls. They help set the permissions and the sharing protocols for the data. As an example, if you're sharing data outside your organization, they may be the ones that help you to determine what should be shared and what should not be shared. Life cycle management they determine the life cycle of when the data is created, how long is the data saved, and then the deletion aspects around the data is created how long is the data saved, and then the deletion aspects around the data how long it should be retained. They are the people that will help with the overall life cycle management of it. They also will ensure that there's some regular auditing and monitoring of the data.

Speaker 1: 14:06 

Now you may end up dealing with the data owner. They may not realize they should do this. You, as a security professional, may need to come to them saying, hey, we need to look at this aspect or this application and we need to audit it to ensure that the data is properly protected. They would then go ahead to go do that and then regulatory compliance their responsibility is to ensure that the management and they comply with all the laws and the regulations tied to the protection of this information. Now, this information could be proprietary information, like intellectual property, or it could be individuals' personal data. You'll deal with this. If you're in China, I deal with the PIPL, which is a personal information protection law. You will have to deal with that if you're sending data outside of China as a country. So it will be the data owner's responsibility to ensure that this meets this requirement. Now, to keep in mind, they may end up looking to you as that person. You may become the de facto data owner, but just keep in mind that is not your role. You need to have someone defined to specifically do that.

Speaker 1: 15:12 

Asset owners Now, the asset owner it has a broader responsibility over the entire asset and this could be a physical device, could be software or it could be the data itself. Now, their responsibility is to maintain the overall asset inventory. This includes all hardware, software, assets, etc. And they are responsible for any sort of bringing on anything acquisitions, maintenance or decommissioning of the assets themselves. Now, keep in mind this could be delegated. Again, a lot of this is delegated in many cases to IT, but you, as an IT professional, need to make sure that there is somebody that, as physical control it's in their response we call it the RRNEs in their responsibilities, expectations and the role, role, responsibilities and expectations. They need to make sure that that is defined in there for them. But again, it should be defined to one specific person. It should not be to the IT person. Unless you're an IT organization, it needs to be someone within the business. Also, this is tied well into NIST and how it works.

Speaker 1: 16:16 

There's also the, as it relates to the asset owners. This is mainly concerned with the identify aspects of the cybersecurity framework. So when you're dealing with the data owner or the asset owner, this is where it falls specifically with identify. Now, the key responsibilities of asset owners obviously, identification and inventory, knowing what you have within your organization. This could be hardware, software, again, data assets as well. The classification and labeling. Now, this person may work very closely with the overall data owner to understand the classification, but their purpose is to ensure that it is implemented in a way that the data owner may wish. Now. Now, the data owner and the asset owner may be the same person, it just depends it could be different. They don't have to be different, but know that they wanna have.

Speaker 1: 17:02 

The key thing around the CISSP is they were trying to define each of these roles and what their responsibility is, but again, the individual could be doing multiple, wearing multiple hats being the data owner, the asset owner and so forth. The asset owner's responsibility is around the documentation. You need to make sure that all the information is documented where the asset is to include potential custodians and secondary custodians. They also conduct risk assessments and they implement risk mitigation strategies for the specific assets themselves. They can be tied into lifecycle management, similar as the data owner. Again, they could be one and the same, but they want this specifically broken out, tied into auditing and monitoring as well.

Speaker 1: 17:46 

Which kind of tools could be used to monitor the access? As an example, if you have tools that are looking through your environment to know what kind of data you have, what kind of assets you have, tools that are looking through your environment to know what kind of data you have, what kind of assets you have. There'll be an example of I know, intune uses asset management. As the asset owner, it may be your responsibility to ensure that you keep this tool up and operational and using it to determine your assets within your organization. They also will be important in developing the policies and the procedures around these assets creating the policy where okay, so is there patch management, when can you use the asset, when can't you use the asset? Those are the types of individuals that would then help develop and craft that overall policy for your organization.

Speaker 1: 18:32 

Data processors Now, data processors this is usually a third-party organization. It can be in-house, but in many cases it's a third-party company that was responsible for the manipulation of the data in various business processes. This calls out a lot in GDPR. They want data processors involved, but they're responsible for the overall data itself and the processing of it and the shipment of it as well. Many of these activities are in line with legal and regulatory requirements and they will have that kind of expectation for the role. When you're dealing with the NIST cybersecurity framework, this is relevant to the protect and respond functions as it relates to the CIA triad. So, as you're talking about NIST again, if they ask questions of how is the data protection, or should say the data processor tied to the overall NIST cybersecurity framework. It would be under protect and respond.

Speaker 1: 19:28 

Now, the key responsibilities of the data processor would be, obviously, processing the data on behalf of the controller. They execute specific functions, such as storage, encryption or analytics taken for the specific data itself. They are responsible for security measures to ensure that they safeguard the data during the processing phases of this, and they also are reliant upon the compliance and documentation piece to ensure that the controller's instructions are properly followed and that they meet their compliance with the legal requirements that may be defined by that specific controller, and this may be. You keep logs, you may keep audit trails and so forth, but this person is responsible for that Any sort of data breach as it relates to the data itself. They would be the person that would contact the data controller. Now, keep in mind, the processor and the controller could be the same person once again, but they wanted to define each of these specific roles so that you knew what the processor did, you knew what the controller did and so forth, and then they could deal with also due diligence around the contractual reviews that you may see related to the overall data processing.

Speaker 1: 20:36 

Now, data controllers, these are people that determine the purpose and the means for data processing activities that may occur. Now that typically the data controllers are within, like say, within a company, you'll have a controller who their responsibility is to know what data should be processed. They will then send that to a processing third party and that processing third party will manage the data and basically process it. Now, like I said before, you can have the controller and the processor as the same person within your organization. It just depends how you've defined that role, but in many large companies the controller and the processor will be different. The detailed responsibilities around a controller is, again, data collection methods how will the data be collected, and then any privacy laws that they have to follow and maintain. The controller will be tied to those, specifically when you're dealing with the cybersecurity framework itself. This aligns the controller aligns with the identify and protect functions similar to the processor. Now the key responsibilities responsibilities, obviously, of the data controllers we talked about earlier. They are the data protection methods and privacy compliance. They're also determined the purpose and means and they decide how and why the data processing activities are occurring. They'll determine the overall purpose of the collection, such as market research, customer service improvement and so forth.

Speaker 1: 21:58 

We talked about the privacy. They will be ensuring that they have. Privacy by design it's a term that you'll hear again and you probably will read it in your CISSP exam is privacy by design, and that approach is to development of all newness systems that are being created. You develop them with the privacy in mind and ready to go. Again, compliance they will ensure that they follow it as it relates to GDPR and CCPA. And then the data subject rights as well, of what is a data subject and what is their right for access, what is their right to collect and delete their data. And then contract management obviously, they will come along and make sure that the contracts are properly in place.

Speaker 1: 22:41 

Data custodians these are technical experts that are tasked with the day-to-day management of the data. They ensure the data owner's policies and guidelines are implemented, and they're the ones that will basically do a lot of the heavy lifting as it relates to the data itself. They'll make sure that the security controls are implemented and they will conduct regular audits. Now the key question around is can the processor, custodians and controllers all be the same person? Like I said before, they can be. Typically, they will be separated, but they can also be together under one specific role, depending on the size of your company. They can also be together under one specific role, depending on the size of your company.

Speaker 1: 23:18 

Now, as it relates to the framework itself, the NIST cybersecurity framework, the custodians are the folks that implement. They do the implementation part of the phase and they put everything into practice. Some of the responsibilities will fall around data storage and backup, data security, access management, compliance, data maintenance and then also retrieval and recovery. So they have a lot of different responsibilities that go into this. So, from the point of ensuring that backups are done, they're available for people to use, the overall security is in place around encrypting of the data, and then they ensure that the patches and updates are done as well.

Speaker 1: 23:53 

Now, what is an administrator? An administrator, these are individuals with special access permissions that are responsible for the technical health of the system itself. So you have the administrator, who can make sure that the systems are up and operational. They ensure patches are updated. They may work with the overall data custodians to ensure that this is done. They also have access control management. They will make sure that only authorized people can access these systems and they will be the ones that will provide those roles to them.

Speaker 1: 24:23 

Now, some key responsibilities around administrators you may run into would be the system configuration, user management, monitoring and auditing, software management and then resource allocation. And what do all those mean? Well, when you're dealing with system configuration, it could be configuring the system settings and network that ensures that you have proper software that's installed. They may do that for you. They may be the ones that set up all the new users within your organization. You may have an automated system that does that for you, but this person would then ensure that that automated system is actually meeting the requirements that you want. They will ensure that there's auditing and the logs are done and there's auditing and monitoring that are set up and then, as well as the resource allocation, to ensure that they have the proper systems that can ensure that these systems are running correctly. So, as an example, if you have it in AWS, you would ensure that the systems that are being, that are housing or managing this data, that they have the proper CPU, the proper computing power to allow that to occur. They also would be somebody within the incident response place of you're dealing with an administrator. They would be tied into incident response and how you would deal with an overall security incident if it were to occur within your organization.

Speaker 1: 25:38 

Now we're going to get into users and subjects. These are end users who interact with a system and the data but do not have a role in defining how the data is protected or processed. Now their overall responsibility obviously the user or the person that is doing this is they must adhere to the organization's acceptable use policy, which basically means what is acceptable use for this data itself, and, as a security professional, you should have an acceptable use policy in place, and so it's important that, as the user, they follow these. Now this could be down to. Responsibilities would be around authentication and authorization. They ensure that they're doing the right thing as it relates to passwords, smart cards, any of that specific logon information. They properly handle the data and disseminate the data. They're not sending this information. If you have a policy that says do not send information that's business related outside of our organization, they're not doing that. They will take the awareness and training pieces and this is important that they do have regular security awareness, training and phishing tests, and then also they should be tied into the incident reporting that's available to them. They also report any usage If there's any issues that they are having problems with. They would be the ones that would manage that and would also report it to you. And it's important that you have users that understand the data protection policies within your organization, because if something goes outside of those protections, they inform you of it. I've had numerous cases where the data was maybe mishandled accidentally and I've had users contact me saying, hey, this is what occurred, what do you recommend? And I've had to go through and help them with that situation. So the bottom line is that users you need to be able to ensure that they understand their responsibility as it relates to the protection of the overall data itself. Now I'm going to quickly go over some of the regulations you may see as it relates to data protections, and one thing to keep in mind is you can see more of this information at cisspsybertrainingcom or you'll be able to see it on YouTube as well. But bottom line is that we're just going to quickly go over some of the regulations that would be tied to the overall data roles that you may see within your organization.

Speaker 1: 27:55 

Obviously, gdpr deals with data controllers, data processors and data owners. We talked about the data controller and the processors. It is their responsibility to ensure that there's lawful collection and processing of the data. As it relates to GDPR, the owner's responsibility is they must approve and monitor the data collection that's occurring and you're going to need to understand that within the CISSP. That to help you understand what are the best security measures to put in place in the overall protection of the data.

Speaker 1: 28:24 

As you're right, in the United States there's the Health Insurance Portability and Accountability Act. This is one thing where you will have to as a CISSP. This is where the data owners and the data custodians are an important factor. They will deal with the classification of healthcare data and the custodians is responsible for maintaining and securing of the data. Those are called out specifically within HIPAA itself. There's FISMA, which is the Federal Information Security Management Act. This is where asset owners and administrators are the key factors. Within that and that's in the United States as well they're responsible for inventory and the security controls of federal information systems and this is a big factor, especially as we relate to the CMMC, which is your Cybersecurity Management Maturity Certification. That is a key factor with understanding what are the overall asset owners and the administrator roles.

Speaker 1: 29:20 

Sox this is Sarbanes-Oxley, this is another one that's in the United States and you will see that within the CISSP they may reference SOX. It deals primarily with the overall financial sector and it deals with business practices, including data handling and the transparent and correct reporting. This would be tied to business and mission owners, so folks that own the business themselves. Their responsibility are tied to specifically with SOX. Pci DSS the financial industry as well. This is a global thing, not just the United States, and you need. It calls out data owners and data custodians. These data owners they must classify the cardholder data and the custodians must ensure that it is secured and managed. So PCI DSS is a global standard as it relates to credit cards and you will deal with it wherever you go.

Speaker 1: 30:11 

California Consumer Privacy Act this is in California, but it does have broader impacts overall. It does have the responsibilities where the data owners and the users and subjects are a key factor in the CCPA. The data owners must provide transparency of the data and obviously the users and the subjects have the right to opt out of the data being stored on them Very similar to GDPR and the fact that you have the right to be forgotten. But CCPA is one that may be it's in the United States and it's in California, but it does in the United States at least. Other states will look to California for guidance on how they do business, and other countries may look to this as well on how they want to protect their citizens.

Speaker 1: 30:54 

The Children's Online Privacy Protection Act, copa this is for kids, obviously, protecting kids online, and it's in the United States. But when I give you the United States different acts, many countries are looking to this to use it as well. I mean, there's no reason to reinvent the wheel, so they will use some of these acts that are defined in the United States when they define their own. I've seen that in China and I've seen it in Europe as well. They all kind of share from each other, but this has specific roles around the guidance for data collection, especially for children under the age of 13. And so, as a CISSP, you need to understand COPA and ensure that you do have compliance to that within your organization.

Speaker 1: 31:35 

And the last one is PDPA, which is one I hadn't really heard of until I kind of dug a little bit deeper into this. This is in Singapore. This is a relates to the protection of personal data against unauthorized access or risks. This is where the data custodians and the data owners would be a big factor within PDPA. You will need to understand not necessarily that it may not pull up the Singapore regulation, which I think you're going to see in future CISSP exams more of these global regulations, because there's just more of them coming online but it's important for you to be aware that if you get the Personal Data Protection Act, if you get that question and it's about in Singapore, you need to be able to, as a CISSP, understand. You may not know that act itself, but you need to understand what would you think it would be asking for. And obviously Personal Data Protection Act would be dealing with personal data, which then allow you to think of okay, so how do I best protect that and what are they actually looking for in the question? Okay, that is all I've got for you today.

Speaker 1: 32:36 

Hey, head on over to cisspcybertrainingcom. There's some great stuff out there for you. I'm actually looking to be making some changes to the offerings I have. I'm gonna get a little bit more personal. I've had so much demand for some different areas that it's actually overwhelming me and to the point of I'm actually gonna limit some of my access that I have both to myself and provide a little bit more content for you all to be able to study for the CISSP, going to take it to the next level where we're going to help you with your CISSP or your cyber career and going to provide you some guidance around that.

Speaker 1: 33:10 

But it'd be very, very specialized, very niche, very, for very specific people, and I'm only going to be offering a few of these coaching and cybersecurity mentorship programs every year. They're going to be very limited on what I can do just because of my time, and I want to be able to give whoever I'm working with the most amount of time I possibly can. So stay tuned. You'll see some more things coming around. That that's coming here very, very quickly. I should have that here within the next couple of weeks and you will be seeing some more on that. All right, hope you have a wonderful day and I wish you the best with your CISSP studying and your CISSP testing. And it's awesome You're going to get it done. I have no question about it. We'll catch you on the flip side, see ya.