In this video we will cover:

• Governance, Risk management & Compliance

• Why move to the cloud?

• What problem does cloud computing solve?

In this video you will learn:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources.

What is essential is that we must determine why we are moving into the cloud before making any changes. There are many things that cloud computing can provide to a business, but the decisions made must match the company's needs.

We encourage you to learn more about CCSP Domain 1 Introduction to Cloud by watching this video. See you in the next video.

In this video we will cover:

• Governance, Risk management & Compliance

• Where does Security start for Clouds?

• Why do we need a Corporate Security Strategy?

• Where is Data going to be?

• ISMS (Information Security Management System)

  
  

In this video you will learn:

The security implemented within a business must forward to the company. The corporate strategy and governance guide the security strategy and governance. This guidance must include the cloud and the corporation's relationship to the cloud.

Risk management should drive all decisions within the business.

Corporations must comply with laws and regulations within today's fast-changing threat environment. Audits are used to verify the correct level of compliance is in place.

Information security professionals should plan to get in and out of the cloud. CCSPs should do this planning before any move into the cloud is made.

We encourage you to learn more about GRC CCSP Domain 1 by watching this complete video. See you in the Next Video

In this video we will cover:

• Three different service models are known as (SaaS), (PaaS) and (IaaS).

• IaaS Shared Responsibility Model.

• PaaS Shared Responsibility Model.

• SaaS Shared Responsibility Model.

• MSP VS. CSP

• Who builds the Cloud?

In this video you will learn:

Cloud computing has three different service models, each satisfying a unique set of business requirements. These three models are known as Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).

A shared responsibility model is a cloud security framework that dictates the security obligations of a cloud computing provider and its users to ensure accountability.

MSPs manage technology and infrastructure, usually for private clouds, while CSPs offer the general public access to technology and infrastructure.

Cloud administrators build a cloud structure according to the architect's design, and a cloud storage administrator builds the cloud data storage according to the architect's design.

We encourage you to learn more about CCSP Service Models by watching this complete video. See you in the Next Video.

In this video we will cover:

• Cloud and Its Contracts

In this video you will learn:

In (ISC)² courses and their books focus on service level agreements but there are a lot of other pieces to the contract. One is a master services agreement, which establishes the roles and responsibilities of each other. SLA is something specific like bandwidth or reliability. A privacy level agreement is called a data processing agreement under GDPR in Europe. A PLA informs the cloud provider that you will be storing personal data or (PII) in the cloud and what you expect of their security controls.

We encourage you to learn more about The cloud and its contracts by watching this complete video. See you in the Next Video.

In this video we will cover:

• Cloud Infrastructure

• What we need to build a Cloud.

• Storage Area Network

• Virtualization

• Who runs the Cloud?

• Hypervisor Type 1, Hypervisor Type 2

• Containers

• Application Virtualization

In this video you will learn:

Creating a cloud infrastructure requires a lot of time, effort, and money. The CapEx is spent by the cloud provider leaving the OpEx to the cloud customer.

Virtualization is what makes it possible for a cloud provider to sell IaaS, PaaS, and SaaS. For this to work we need compute, storage, and network services.

You will learn about Hypervisor and its types, containers, and virtualized applications.

We encourage you to learn more about Building the Cloud by watching this complete video. See you in the Next Video.

In this video we will cover:

• Cloud Security

• ISO 27002

• NIST SP 800-53

• ISO 27017

• General Grouping Of Controls

• Control Types

• Control Categories

In this video you will learn:

We need to control the clouds that we build. Security controls can be found in two documents: ISO 27002 and NIST SP 800-53. In theory, these documents contain all security controls.

ISO 27017 is the code of practice for Information Security Controls based on ISO/IEC 27002. It is a subset of all the controls that are found inside ISO/IEC 27002 that apply to cloud environments.

Controls can be divided into safeguards and countermeasures. There are three types of controls: administrative, technical, and physical. The controls we choose should be tested and vetted.

We encourage you to learn more about Securing The Cloud by watching this complete video. See you in the Next Video.

In this video we will cover:

• Control Verification

• ISO 15408 Evaluation Assurance Levels

• Testing Cryptography Products

• FIPS 140-2 Levels

  
  

In this video you will learn:

The security controls we choose should be tested and vetted. ISO 15408 Common Criteria is a standardized test methodology so that a situation such as A Cisco FW and a Checkpoint FW can be tested by two different labs in two different countries, but the test results can be compared to determine the best FW for a given use.

There are seven levels of the test. The lowest level is 1 and the highest is seven. If we are testing cryptography specific then it is a different document named FIPS 140-2 and 140-3. A standard for the quality of physical security must be within a cryptographic module within a system. There are four levels of FIPS 140-2. One is the lowest and the four is the highest.

We encourage you to learn more about Control verification by watching this complete video. See you in the Next Video.

In this video you will cover:

• Threats to the Cloud

• Provider Lock-In, Provider Lock-Out, and Provider Exit

• Guest Escape

• Guest Hopping

• Legal Responsibility

• Serious Control

• Treacherous 12

In this video you will learn:

Provider lock-In- You will have an issue If you are locked into a proprietary platform. Portability is the ability to easily transfer data from one system to another without being required to re-enter data.

Provider lock-Out (Bankruptcy)- It’s a problem from two major perspectives one is that you are locked out of your cloud and you don’t have access to your cloud and the second is that the courts are going to take the assets and sell that to pay the bills and your data is included in those assets.

Provider Exit is that the Cloud provider wants to get out of a line of business.

More problems to discuss within the cloud are Guest escape and Guest hopping.

You will also learn about the legal responsibilities, MITC, hyperJacking, and Treacherous 12.

We encourage you to learn more about Threats to the Cloud by watching this complete video. See you in the Next Video.

In this video we will cover:

• Artificial Intelligence

• Machine Learning

• BlockChain

• Internet Of Things (IoT)

• Quantum Computing

In this video you will learn:

AI aims at the ability of Computers to duplicate the thought process of the human brain. While we work on getting there, at least they can approximate humans' learning, reasoning, and problem-solving capabilities.

Machine learning is simply defined as the ability for Computers to learn using algorithms rather than to be specifically programmed to do something. Machine learning is arguably a subset of AI. The three different types of Machine learning are Supervised Learning, Unsupervised Learning, and Reinforced Learning.

Internet Of Things is a giant network of Connected things like Computers, Light bulbs, IP Cameras, Drilling rigs, pool pumps, and many more.

BlockChain is a timestamped series of unalterable records of data. The blocks of data are bound to each other using cryptographic principles.

You will also learn about Quantum Computing which relies on qubits or quantum bits to store data and information rather than traditional bits in today's Computers.

We encourage you to learn more about Related Technologies by watching this complete video. See you in the Next Video.

In this video we will cover:

• Cloud Data Security

• Data Lifecycle

  
  

In this video you will learn:

Domain 2 is Cloud Data Security. It is 19% of the test. Cloud Data Security means securing Company's data and Information in a Cloud.

We encourage you to learn more about Intro to cloud Data Security by watching this complete video. See you in the Next Video.

Everything has a lifecycle and the data life cycle is to create, store, use, share, archive, and destroy.

Creation according to the Cloud Security Alliance is both the generation and the alteration/updating or modifying of content. The second step is Store, when you create data you should classify the data.

The cloud Security Alliance definition of Use is a view, process, or use but not modification. You may or may not share the data and/or put the data in an archive or long-term storage.

The archive would be a separate distinct space and location where you are storing the data, so you go through a specific process to put data into the Archive. In the end, you may or may not destroy the Data. Some data like birth records are intended to be kept.

In this video we will cover:

• Protect Data Through Lifecycle

  
  

In this video you will learn:

We can protect data through the data lifecycle. Protection mechanisms include Policy, Backup, IAM, Encryption, DLP, and DRM. Policies are something that we need to do and they should be written with consequences should someone not follow them. We also need to include data protection requirements from laws and regulations that we need to be in compliance with, such as GDPR or SOX.

We encourage you to learn more about Data Protection Policy by watching this complete video. See you in the Next Video.

In this video we will cover:

• Information Classification

• Classification

• Cloud Questions

In this video you will learn:

Information classification is a process in which the organization assesses its data and Information and what should be done to secure them.

Whenever you are dealing with policies within a business so CISSPs are responsible for writing policies according to (ISC)² logic.

According to ISACA, we should have less than 24 information security policies within a business. We need to make sure that we match the needs of a business. Every business should have a classification policy about how to protect the data and information that you have.

The data protection policy should include classification. We need to know the number of levels, their names, and handling/securing requirements. The levels and their names should make sense to the business and its employees. It is best to ensure there are as few levels as possible to reduce confusion. Confusion causes under and over-classification problems.

We need to ensure that the data protection policy also includes information regarding our clouds. What data can be stored in the cloud? Which cloud? What type of configuration?

We encourage you to learn more about Data Classification by watching this complete video. See you in the Next Video.

In this video we will cover:

• Data Science

  
  

In this video you will learn:

Data Science is the conduct of data analysis as an empirical science, learning directly from data itself. There are two ways to do that; the first one is by collecting data by open-ended analysis and the second one is the formulation of the hypothesis. In both methods, the conclusion is based on the data, —NIST SP 1500-1.

We encourage you to learn more about Data Science by watching this complete video. See you in the Next Video.

Data governance is a fundamental element in the management of data and data systems. Data governance is the management across the complete data lifecycle. To maximize its benefits data governance must consider the issues of privacy and security.

We need to extend the data governance logic again into the cloud. A database is a collection of data and we could have multiple databases for different departments.

In this video we will cover:

• Database

• Data Warehouse

• Meta data

In this video you will learn:

A database is a collection of data and we could have multiple databases for different departments.

A data warehouse centralizes and consolidates a large amount of data from multiple sources. Data warehouses are solely intended to perform queries and analysis and often contain large amounts of historical data.

We encourage you to learn more about Structured Data - Database and Data Warehouse by watching this complete video. See you in the Next Video.

In this video you will learn:

Big data consists of extensive databases, primarily in the characteristics of the three original and the two added Vs of volume, variety, velocity, veracity, and/or variability. Big data requires a very scalable architecture for efficient storage and analysis.

We encourage you to learn more about Unstructured Data - Big Data by watching this complete video. See you in the Next Video.

In this video we will cover:

• Data Storage

• Structured Storage

• Unstructured Storage

• IAAS Terminology

• PAAS Terminology

• Data Dispersion

In this video you will learn:

There are two types of storage, structured and unstructured. Structured storage is block storage while unstructured is object storage. In structured storage, it is perfect for something like a database. Data will be stored in volumes and blocks. The file or the data is split into equal-sized pieces (blocks). A block can be located but does not have associated metadata with it.

Unstructured storage is object storage. Storage of one piece of data at a time. Each object could be a file, video, picture, etc. Object storage is not hierarchical storage like file storage is. Each object is stored with metadata and a unique identifier that allows it to be located.

In IAAS the structured option is called a Volume and the unstructured option is called object or files, according to the Cloud Security Alliance. In PAAS the structured option is called Block and the unstructured is called Blob.

We also covered data dispersion in this video. We encourage you to learn more about Data Storage by watching this complete video. See you in the Next Video.

In this video we will cover:

• Data Dispersion

  
  

In this video you will learn:

In the Cloud data just does not end up on a single drive. Data dispersion is a normal thing that occurs in the cloud. So what happens first is data is chunked or sharded. Then each piece is going to be sent to a drive on a server. Then the next chunk or shard is sent somewhere else, to another server, to another drive. So the file itself is dispersed across the cloud. This is similar in nature to how RAID works within a single server. The difference is that the data is distributed between drives on different servers.

We have covered other important points as well. We encourage you to learn more about Data Dispersion by watching this complete video. See you in the Next Video.

In this video we will cover:

• Application Programming Interface

  
  

In this video you will learn:

API’s are fundamentally a request and response protocol. There is SOAP and there is ReST.

SOAP is heavy and complicated with a lot of features. This might be why it is no longer an acronym because the S stood for simple. SOAP is XML based which requires more knowledge and work from the software developer. As a bonus, it does have security features built in such as encryption of the data in transit.

Meanwhile, ReST is a lighter Protocol. ReST can use XML, however, most of the time it is constructed with JavaScript Object Notation (JSON). It is essentially web requests so TLS can be used to encrypt the data in transit.

We have covered other important points as well. We encourage you to learn more about Application Programming Interfaces by watching this complete video. See you in the Next Video.

In this video we will cover:

• Encryption

In this video you will learn:

We need to know the basics of encryption for this test. There are three basic things to know here: Symmetric, Asymmetric, and MIC (Message Integrity Control).

Symmetric is perfect If you wanna keep something confidential. Messa Integrity control has to do with Integrity. Asymmetric has to do with Authenticity.

We encourage you to learn more about Encryption by watching this complete video. See you in the Next Video.

In this video we will cover:

• Data In Use

  
  

In this video you will learn:

Encryption Of Data In Use is an approach in which work is being done to figure out how to keep data encrypted while it is being used. The encryption methodology that applies to this is known as homomorphic cryptography.

We encourage you to learn more about Encrypting Data In Use by watching this complete video. See you in the Next Video.

In this video we will cover:

• Encryption Of Data At Rest

In this video you will learn:

What we actually use encryption for today is encryption data at rest and in transit. With data at rest, you can encrypt anything, you can encrypt a single file, a partition, a folder, or an entire drive.

We encourage you to learn more about Data at rest encryption by watching this complete video. See you in the Next Video.

In this video we will cover:

• SSH

  
  

In this video you will learn:

We use encryption for data in transit all of the time, and there are three specific protocols that we use in transit today: SSH, TLS (formerly SSL), and IPSec.

SSH is used first and foremost by administrators when they are remotely connecting to and configuring devices such as routers, switches, and servers. It can be used for other purposes though.

We encourage you to learn more about SSH by watching this complete video. See you in the Next Video.

In this video we will cover:

• TLS

  
  

In this video you will learn:

We use encryption for data in transit all of the time, and there are three specific protocols that we use in transit today: SSH, TLS (formerly SSL), and IPSec.

TLS is used first and foremost for the purpose of web-based connections. It is a client-server protocol originally developed by Netscape. It can be used for other purposes though.

We encourage you to learn more about TLS by watching this complete video. See you in the Next Video.

In this video we will cover:

• IPSec

In this video you will learn:

We use encryption for data in transit all of the time, and there are three specific protocols that we use in transit today: SSH, TLS (formerly SSL), and IPSec.

IPSec is used first and foremost to protect single-hop connections running over WAN or Internet service providers. It can be used for other purposes though.

We encourage you to learn more about IPsec by watching this complete video. See you in the Next Video.

In this video we will cover:

• Symmetric Encryption

In this video you will learn:

Symmetric cryptography is also known as single key, session key, and shared key cryptography because it is a single key that is actually shared between transmitter and receiver. You can use it to encrypt anything, like data, voice, or video. You can also encrypt anything in folders, drives, partitions whatever you want to encrypt, symmetric is great for it. It keeps things confidential.

We encourage you to learn more about Intro to Symmetric by watching this complete video. See you in the Next Video.

In this video we will cover:

• Asymmetric Encryption

In this video you will learn:

There are two main purposes that Asymmetric encryption serves, one it is good for exchanging and negotiating symmetric keys. The second thing is it is used to authenticate the source with a digital signature.

We encourage you to learn more about Introduction to Asymmetric Encryption by watching this complete video. See you in the Next Video.

In this video we will cover:

• Public Keys

• Private Keys

In this video you will learn:

To verify the source whether it is the sender or receiver that is only possible when you have public and private key pairs.

If the public key is used for encryption then the private key must be used for decryption. Only the owner of the private key can decrypt it because the key is kept private. It should never be shared with anyone. This achieves confidentiality of the transmitted information, a common use is to exchange the symmetric key.

If the Private key is used for encryption then the public key must be used for decryption. Anyone can decrypt since the public key is public so, this does not achieve confidentiality but it does prove the source. We call this a digital signature.

We encourage you to learn more about the Use Of Public and Private Keys by watching this complete video. See you in the Next Video.

In this video we will cover:

• Hashing

  
  

In this video you will learn:

Hashes are one-way functions. A hash algorithm is run against the data which produces a fixed-length answer. Its purpose is to prove the integrity of the message. Hashing always helps you prove that accidental changes occurred, but not intentional/malicious changes.

If the hash is encrypted we can protect it from intentional, malicious changes. We have also highlighted the important points explaining hashing. We encourage you to learn more about Hashing by watching this complete video. See you in the Next Video.

In this video we will cover:

• Key Location

• Transparent Encryption

  
  

In this video you will learn:

The critical question to answer is where is the key?

Normally for SaaS, the key is with the provider, there is an exception with level encryption related to SaaS, we can keep the keys with customers.

At an application level relevant to Iaas and Paas the customer owns the application so the key can be with them.

In Infrastructure, you own the operating system and software on the virtual machines. So, you can add the key.

At the database level, relevant to IaaS and PaaS, the customer and provider both have the key. When you are encrypting the database the database itself has to have the key in order to do transparent encryption which means the key must be stored with the database. Which is in Cloud Provider’s Network.

At the file level related to IRM (Information Rights Management), the customer has the key.

In Storage level encryption for IaaS, PaaS, and Saas you are encrypting a drive so the key is with the Cloud Provider.

Transparent Encryption is a very specific term that applies to databases. When someone does encryption it needs to be done transparently. We encourage you to learn more about Key storage locations by watching this complete video. See you in the Next Video.

In this video we will cover:

• Key Management Interoperability Protocol (KMIP) Specification

• Key Management

• Remote- Key Management

• Client-Side Key Management

In this video you will learn:

Key Management Interoperability Protocol (KMIP) is a communication protocol for the maintenance of keys. It is a single consistent protocol that consists of objects, operations, and attributes.

There are two specific terms in key management, the first is internally managed and the second is externally managed. If the keys are stored in VM then they are internally managed and If not then they are externally managed. In externally managed keys are stored separately from the encryption engine.

Two more very specific terms are remote-key management and client-side key management. In both scenarios, the data is stored in the cloud and the customer has the key. The question to answer is where is the processing done?

In remote-key management, the key is on-premises with the customer, and data encryption/decryption processing is done with the cloud provider. The key is sent to the cloud for processing.

In client-side key management, the key is on-premises with the customer, and data encryption/decryption processing is done on the customer side. Data is sent to the customer for processing.

We encourage you to learn more about Key management by watching this complete video. See you in the Next Video.

In this video we will cover:

• Public Key Infrastructure

• Registration Authority

• Certification Authorities

In this video you will learn:

PKI is the Infrastructure of trust involved with obtaining, managing, and verifying public keys. PKI manages key generation and distribution. Public keys are verified through Certificate Authority (CA) signed X.509 certificates. Without PKI it is very difficult to verify that a public key belongs to a specific entity.

There is also a separate function called Registration Authority (RA). RA is used to verify the identity of the user to whom the public key belongs. Identity could be confirmed by email address, in person, and govt. issued IDs to name a few methods.

CAs are the trusted third parties that bind an individual or an organization to a public key.

We encourage you to learn more about PKI by watching this complete video. See you in the Next Video.

In this video we will cover:

• Key Storage

• Trusted Platform Module (TPM)

• Hardware Security Module (HSM)

• FIPS 140-2/3

• Data Protection

In this video you will learn:

The next question to answer is: Where do we store the key? A great answer is in a Hardware Security Module (HSM) or a Trusted Platform Module (TPM). It should not be in a Virtual Machine (VM). If the key is stored in a virtual machine that means that it would be saved in the object-based file that is the VM.

The TPM is designed for one thing and that is the security of the key. It is a chip that is mounted on the motherboard of a computer. E.g., laptop, tablet, desktop, phone

The HSM is also designed for one thing and that is the security of the key. It can be used to create keys and store keys. The HSM is a rack-mountable device for use in a data center with servers. Access to the HSM should be physically limited. Logical and physical controls need to be built into the box itself.

FIPS 140-2/FIPS 140-3 are security requirements for cryptographic modules. Aligns with ISO/IEC 19790:2012(E). Testing for these requirements will be in accordance with ISO/IEC 24759:2017(E).

We have also covered FIPS 140-2 /3 and the four levels a product could be tested to prove the physical security of that product. You will also learn about some key things related to data protection.

We encourage you to learn more about Key storage hardware by watching this complete video. See you in the Next Video.

In this video we will cover:

• Masking

  
  

In this video you will learn:

Masking is used to hide data from the visibility of the user for e.g stars instead of passwords on the screen. It is also used to cover the credit card number on the screen, either the users or customer service.

People use a lot of different masking interpretations, but nothing is defined by CSA or NIST, or ISO. So to cover is the most straightforward description that I think is needed for the exam at this time.

We encourage you to learn more about Masking by watching this complete video. See you in the Next Video.

In this video we will cover:

• Tokenization

In this video you will learn:

Tokenize is to replace, so when you tokenize data you take that piece of data out and put something else in its place. The best example is credit cards. Tokenization requires that another database is added to store the original data and the associated token. This allows the conversion from the token back to the original data value. So to tokenize is to replace, but not permanently.

We encourage you to learn more about Tokenization by watching this complete video. See you in the Next Video.

In this video we will cover:

• Obfuscation

In this video you will learn:

Obfuscation is to confuse by obscuring data. You could say that encryption is obfuscation, but not all obfuscation is encryption. If you convert normal text to the font Wingdings then it is obfuscated. It is often used to protect source code and memory location information among other things. And hackers use it to hide their attacks from IDS/IPS and firewalls.

We encourage you to learn more about Obfuscation by watching this complete video. See you in the Next Video.

In this video we will cover:

• Anonymization

In this video you will learn:

We have two things, de-identification, and anonymization. (ISC)² only points to anonymization but it can’t hurt to know more terms. Anonymization is irreversibly removing direct and indirect identifiers. You cannot go back, once you anonymize something and you remove the direct and indirect identifiers, you cannot recover them or put them back in place. Dee-identification removes only the direct identifiers.

We encourage you to learn more about Anonymization by watching this complete video. See you in the Next Video.

In this video we will cover:

• Maturity Models

• CMM - The Beginning

• CMMI - Capability Maturity Model Integration

• CMM ISO 21827

• Original CMM

• Security Awareness Maturity Models

In this video you will learn:

The beginning of maturity models trace back to CMM which was developed for the Department of Defense (DoD) in 1986. CMM is the capability maturity model. It is about the topic of processes and it was primarily for software development.

CMM did not integrate well into the rest of the business so Capability Maturity Model Integration (CMMI) was developed. This is the current Maturity Model (MM) for software development. So we have the original CMM from 1986 and it has five levels of maturity which were replaced by CMMI which also has five levels of maturity. There is another CMM defined under ISO 21827. The CMM is for security engineering practices.

The five levels of maturity in Original CMM are, Initial, Repeatable, Defined, Capable and Efficient.

The first two levels are reactive in nature. When you get to three, four, and five you are now proactive.

The levels for CMMI are Initial, Managed, Defined, Quantitatively Managed, and Optimizing.

ISO 21827 levels are Performed Informally, Planned and Tracked, Well Defined, Quantitatively Controlled, and Continuously Improved.

We have also highlighted some more important points in this video regarding Security Awareness Maturity Models and PMM. We encourage you to learn more about Maturity Models by watching this complete video. See you in the Next Video.

In this video we will cover:

• Digital Rights Management

In this video you will learn:

Digital Rights Management is familiar with things like Netflix, Pandora, Kindle, etc. It’s all the stuff that controls the content. Inside of the business, you might actually call this IRM (Information Rights Management) which could be something like Locklizard.

So, very commonly, DRM is the term used for publicly accessible content and IRM is usually something within the business.

DRM software controls access to Intellectual Property (IP). It allows control of the content to include but is not limited to the length of access, print capability, screen capture capability, copy/paste capability, and sharing controls.

We have also highlighted some more important points in this video regarding DRM and IRM. We encourage you to learn more about DRM & IRM by watching this complete video. See you in the Next Video.

In this video we will cover:

• Emerging Technologies

• Neural Network
  

In this video you will learn:

Bit Splitting is considered an emerging technology. We are not really using it in reality yet. There is a lot of data you can look through and research and get to know SSMS (Secret Sharing Made Short) and AONT- RS (All-or-Nothing with Reed Solomon).

Another emerging technology that they have is neural networks. Neural networks reflect the behavior of the human brain, allowing computer programs to recognize patterns and solve common problems in the field of AI, machine learning, and deep learning. We encourage you to learn more about Emerging Technologies by watching this complete video. See you in the Next Video.

In this video we will cover:

• Cloud Platform and Infrastructure Security

• Infrastructure

• Virtualization

• Hypervisors

In this video you will learn:

This domain is 17% of the test. In this domain, you will need to look at things from both the customer's point of view as well as the cloud provider’s perspective. The key to understanding cloud computing is to look at the common underlying attributes and characteristics of the technologies and concepts described. The more you understand the underlying cloud technology the better off you are for both the exam and the real world.

The truth is this is a data center class. It is current data center technology that enables companies like Amazon to sell their web services.

In order to virtualize machines (servers, computers, routers, switches, etc.) we use Hypervisors. Hypervisor Type 1 is the operating system that you load on the bare metal device that you just put in a rack of the equipment in a data center.

Type 2 Hypervisors are used for personal equipment the most. The laptop or desktop computer you are sitting at could have a type 2 Hypervisor. It allows you to load a 2nd or 3rd operating system on top of the native OS. So in type 1, you have the hardware and you put a hypervisor directly on top of it. In Type 2, your laptop or desktop has a host operating system which then allows you to build a virtual machine on top of it by adding that type 2 Hypervisor in the middle.

I recommend that you download and look through all of the additional content you will find throughout these videos. Here you also have the Guidance 4.0 from the CSA. It is a good thing to review as this is a CSA exam.

We encourage you to learn more about Intro to Platform & Infrastructure by watching this complete video. See you in the Next Video.

In this video we will cover:

• Architecture

• Physical

• Logical

• Service Orchestration — NIST SP 500-292

• Abstraction

In this video you will learn:

Let’s start with the physical. There must be a data center with racks for the equipment. Then the actual hardware e.g., router, switch, server, is added.

This breaks down into the four layers of architecture: applistructure, infrastructure, infostructure, and metastructure.

Infrastructure is the physical structure of the cloud. It is comprised of switches, servers, routers, etc.

Metastructure is where you encounter virtualizing of the physical. Everything from the hypervisor to virtual machines is found here.

Infostructure is the structure of cloud storage. It is where you find SANs or vSANs.

Applistructure refers to the deployed applications and their underlying services e.g., message, and queues.

In order to build a cloud, we need three things, they are Storage, Compute, and Network. There are three elements that have to be there in order for the cloud to work.

We have also highlighted some more key points in this short video. We encourage you to learn more about Architecture by watching this complete video. See you in the Next Video.

In this video we will cover:

• Storage

• Compute

• Network

• Cloud Management Plane

  
  

In this video you will learn:

Cloud requires three things, storage, compute, and network capabilities.

We need to have storage to place the data. There are two types of storage, one is block storage and the other one is object storage.

Next is the compute capability. This creates the ability to create VMs.

And, then we need network capability. This allows for virtualized networks to be built within the host servers running a hypervisor.

To log into the physical server we need the management plane. Logging into the hypervisor allows us to build virtual servers, virtual databases, virtual desktops, and virtual networking devices. Since the management plane allows for the monitoring and configuration of cloud resources it must be protected. Choose multi-factor authentication!

We encourage you to learn more about Compute, Storage, and Network by watching this complete video. See you in the Next Video.

In this video we will cover:

• Networking

• Switch And Mac Address

• LAN

In this video you will learn:

Today’s businesses rely on their networks. Without it most businesses barely function. Without a network, we don’t have a cloud. As we build the cloud the provider must still build a traditional network with real switches and routers. For the customer to function we virtualize the networks and put them inside of the server by using hypervisors.

If you are not familiar with the basics of networking it is essential that you study it. If you already know IP addresses, DHCP servers, and what a router is (among many other pieces) then you could skip this section. But do make sure that you have the basics.

We need to know LANs, WANs, routers, and switches (and more). Switches are the most common device that we probably have in networks today. Switches are used to create LANs.

Switches make forwarding decisions based on MAC addresses that are learned by listening to the Network Traffic.

We have also highlighted some key points related to switches and LAN.

We encourage you to learn more about Intro to Networking and Switches by watching this complete video. See you in the Next Video.

In this video we will cover:

• VLAN

  
  

In this video you will learn:

A VLAN allows different computers and devices to be connected virtually to each other as if they were in a LAN sharing a single broadcast domain.

VLANs emulate real LANs. Broadcast packets are forwarded within a LAN/VLAN.

We encourage you to learn more about VLAN & Virtualized LAN by watching this complete video. See you in the Next Video.

In this video we will cover:

• IP and Routers

• DHCP

In this video you will learn:

Routers are the connection point between the LAN and the WAN. A router uses layer 3 IP addresses to make decisions as to where a packet should be sent. At a minimum, they are used to route from a LAN to the Internet or WAN connection. They can also be used to route traffic between subnets within a LAN.

The router determines the best route a packet can take based on knowledge of the network that has been stored in the routing tables. Routing tables are built using routing protocols such as OSPF that enable routers to communicate with other routers to exchange knowledge of the networks.

The Dynamic Host Configuration Protocol is used to dynamically assign IP addresses to devices (virtual or real) on a network (virtual or real).

We encourage you to learn more about IP and Routers by watching this complete video. See you in the Next Video.

In this video we will cover:

• Software-Defined Networking

• SDN PLANES

  
  

In this video you will learn:

SDN is a method of managing switches within a network that differs dramatically from older technology. An SDN alleviates the switch’s work of making forwarding decisions and places that burden on a controller node. This effectively divides the switch's work. The control plane and data plane.

The control plane allows the switch to request a decision to be made by the controller when a new traffic flow is received. This allows the switch to just forward frames, which they are very good at. The frames are sent along on the data plane.

The controller allows for a single point of control within a network which is useful for management, security, and a host of many other benefits.

SDN is typically found within the physical network (not virtual) at a cloud or service provider today, although it can be used on a virtual network like you would find within Infrastructure as a Service (IaaS).

The Data Plane allows the switch to just be a switch means just forward your data. The control plane is what’s going to allow the switch to talk to the controller.

We encourage you to learn more about Software-Defined Network by watching this complete video. See you in the Next Video.

In this video we will cover:

• Content Distribution Network

  
  

In this video you will learn:

In CDN you have origin servers and edge servers. The perfect example of a Content Distribution Network (CDN) is Netflix. Let’s suppose, for the sake of an easier description, that Netflix has one server in California and all the movies are on that one server. If someone in London is watching a specific movie then it had to have been sent from California to London.

If you are in London and you were to watch the same movie it would be easier if it was sent to the UK once. Then cached on a local edge server. Once cached anyone that wants to also watch it at about the same time can just pull the movie locally. So if you imagine that the ‘trending near me’ section when you log into Netflix tells you that shows are being watched near you and are currently cached on that edge server.

If Netflix convinces others to watch that same movie the bandwidth across the US and the Atlantic Ocean are not tied up with multiple streams of the same movie. All because the movie has been cached locally.

If nobody is watching it then it disappears from trending near me and the cache on the edge server.

We encourage you to learn more about the Content Defined Network by watching this complete video. See you in the Next Video.

In this video we will cover:

• Virtual Private Network

  
  

In this video you will learn:

A Virtual Private Network (VPN) is described by security professionals as an encrypted tunnel. Tunneling brings with it the idea of authentication. The encryption then protects the traffic flow for confidentiality purposes. VPNs that we use today are TLS (formerly SSL), SSH, and IPSec.

We encourage you to learn more about the Virtual Private Network by watching this complete video. See you in the Next Video.

In this video we will cover:

• DNS & DNSSEC
  

In this video you will learn:

How do you get to Netflix? If you are not using the app, you can go to netflix.com. The routers and switches don’t know anything about the domain Netflix.com. The only thing that the network can work on today is IP addresses.

If we are using the IP-based network it has to have an IP address in order to be able to route data to the right destination. So what we need in order to be able to do that is something called Domain Name System (DNS).

DNS will convert the Name/URL that the user is attempting to access into an IP address for transmission. DNSSec - Domain Name System Security adds security to DNS. Origin authentication of DNS data, data integrity, and authenticated denial of existence.

We encourage you to learn more about the DNS & DNSSec by watching this complete video. See you in the Next Video.

In this video we will cover:

• OS Hardening
  

In this video you will learn:

The Good thing that you should do with any device plugged into any network anywhere is you should harden the devices. We need to take care of servers, especially those that are connected to the outside world.

We need to harden anything that is in the Demilitarized Zone (DMZ). If it's in the DMZ that means it is accessible from the internet. Operating systems need to be hardened or secured to minimize the attack surface.

You also need to make sure that your systems are patched.
You need to remove the default account, if not deleted should be renamed.

Change the default password.

Shut down unnecessary services.

Close unused parts.

We encourage you to learn more about OS Hardening by watching this complete video. See you in the Next Video.

In this video we will cover:

• Redundant Servers

• Server Clusters

• DRS (Distributed Resource Scheduling)

• Dynamic Optimization
  

In this video you will learn:

Another good thing to do in networks is to have redundant servers. A redundant server is installed with one server actively processing data and the other passively waiting to be needed. So, the servers are active/passive.

In server clusters installed with all/both servers handling or processing data. So the servers are active/active.

Along with server clusters and redundant servers we have DRS (Distributed Resource Scheduling) and DO (Dynamic Optimization).

DRS - A cloud function that allows resources to be managed dynamically. When a VM is started it can be placed where it best fits by DRS rather than the cloud administrator selecting a location. As resources are used and VMs expand their needs they can be moved dynamically to other servers.

Using DynamicOptimization (DO) you get the same basic support found with DRS, but here it is used to support server clusters. It is possible to perform a live migration of Virtual Machines (VMs) and Virtual Hard Drives (VHDs) within a host cluster.

We have also highlighted some important points related to Compute Dynamic Optimization and Storage Dynamic Optimization.

We encourage you to learn more about the DRS & DO by watching this complete video. See you in the Next Video.

In this video we will cover:

• Network Security Group

• Storage Area Network (SAN)

• Fibre Channel

• World Wide Name (WWN)

• iSCSI

In this video you will learn:

Security Groups (SG) or Network Security Groups (NSG) is a virtual LAN protected by a Firewall. Microsoft is using NSGs to secure traffic flow within. It is a little bit of Firewall Logic and a little bit of VLAN Logic combined together.

The more data we have, the more we need a SAN. You can think of a SAN as many massive drives attached to a LAN that is dedicated to this purpose. Storage Area Network we have two protocols, Fibre Channel and iSCSI.

Fibre Channel uses a different addressing scheme of LUNs (Logical Unit Number). If necessary Fibre Channel can be run across Ethernet. SCSI (Small Computer System Interface) protocol runs over TCP/IP. SCSI is a protocol developed by ANSI for attaching something like a printer directly to a computer.

We encourage you to learn more about the NSG and SAN by watching this complete video. See you in the Next Video.

In this video we will cover:

• Data Storage

In this video you will learn:

When we talk about storage we have two fundamental things that we have, we have structured and unstructured. Structured storage vs unstructured storage is the base logic that has been used. Then you can apply different terms to it like block, volumes, blobs, and so on, depending on the deployment models of SaaS, IaaS, or PaaS.

Be careful with the terms structured and unstructured. They are used both for data storage and for the organization of data itself. They are similar, yet different. Traditionally structured data is a database and unstructured data is big data.

You can match the two - a database (structured) stored in block storage (structured). But it is not a requirement. A database can be saved as a file and stored within a blob (unstructured).

We encourage you to learn more about Data Storage by watching this complete video. See you in the Next Video.

In this video we will cover:

• Redundant Array Of Independent Discs (RAID)

• Erasure Coding
  

In this video you will learn:

RAID is a tool that is designed to prevent the loss of data when a server has a hard drive that fails.

RAID 0 stripes data across many drives. Fast to write. But… It does not help when a drive fails.

RAID 1 mirrors the data to a second drive. If a drive fails it will be ok because the data is written to the second drive as well.

RAID 5 stripes data across multiple drives and then puts parity information for each block of data on a different drive. Parity information is also created for every block of data written to a drive. If a drive fails, the lost data can be recreated from the parity field.

Now how do we do this in the cloud? Erasure coding emulates RAID in the cloud. Data is chunked or shared and then stored across multiple drives. The difference is that the drives are on different servers. Then parity is created and stored separately from the block of data that it represents. If a drive is lost that chunk of data can be recreated from the associated parity field.

We encourage you to learn more about RAID & Erasure Codingby watching this complete video. See you in the Next Video.

In this video we will cover:

• Cloud Infrastructure Risks

• Egregious 11

In this video you will learn:

There are so many Cloud Issues, there are two documents from Cloud Security Alliance and Egregious is one of them. It is not in the 2022 exam outline, but it is still good to look at. These are significant problems with the cloud today. It is worth your time to look into these and be familiar with them regardless of whether (ISC)2 mentions this document name.

Misconfiguration and Inadequate Change Control is a huge problems today. Moving to the cloud usually means that there will be more virtual machines than you had in the physical environment. Configuration issues are rising to the top of the problems that we are seeing. For example, the AWS S3 has a default configuration that does not include encryption of the stored data.

When you don't carefully control the configurations that you have of the servers that are in the cloud-like routers, switches, and everything that is virtualized it’s gonna be a problem. It leads us to the third risk which is the Lack of Cloud Security Architecture and Strategy.

We encourage you to learn more about Egregious 11 by watching this complete video. See you in the Next Video.

In this video we will cover:

• Egregious 11 6-11

In this video you will learn:

The egregious 11 continues with some threats that have neither changed nor improved. Insider threats and insecure APIs. It is a good idea to be familiar with APIs, but we will address that later.

There are some new threats that have been added (since the Treacherous 12) and they are weak control plane, metastructure, and aplistructure failures as well as limited cloud visibility. The CSA uses the term ‘control plane’ to refer to what is often referred to as the ‘management plane’. You must protect this connection. It is how you, or a hacker, can control your cloud. Again think multi-factor authentication.

We encourage you to learn about Egregious 11 by watching this complete video. See you in the Next Video.

In this video we will cover:

• Treacherous 12

  
  

In this video you will learn:

So there was Egregious 11 which replaced the Treacherous 12. Egregious 11 is more important than the Treacherous 12 when preparing for this test.

A quick look at these is a good idea though.

We encourage you to learn more about Treacherous 12 by watching this complete video. See you in the Next Video.

In this video we will cover:

• Risk Assessments / Analysis

In this video you will learn:

There are so many threats that could be realized. Which threats are ones we really need to prepare for? Which threat is the biggest? What would be the most costly? What is the most likely? To uncover those answers we do risk assessments and work towards the best solutions for our business.

Risk appetite is the first question to address. What is the CEO willing to consume in the pursuit of their business? Are they risk aggressive or risk-averse?

The risk profile is the risk organization can tolerate before it would cease to exist.

We have also highlighted some other key points in this short video. We encourage you to learn more about Risk appetite and risk profile by watching this complete video. See you in the Next Video.

In this video we will cover:

• Risk Tolerance

In this video you will learn:

There is a tolerance around risk appetite. Risk tolerance can be used as an indicator of the status of risk. There is a level of tolerance that exists above and below what the CEO believes their risk appetite to be. There are times when they will be a little more risk aggressive and times when they are more risk-averse. That variation gives you risk tolerance.

We have also highlighted some other key points in this short video. We encourage you to learn more about Risk Tolerance by watching this complete video. See you in the Next Video.

In this video we will cover:

• Basics To Risk

In this video you will learn:

You should definitely be aware of the fundamental terms of risk management.

The first term is an asset. For example my iPhone.

The second thing is a threat. Some kind of harm can happen to the asset. It will impact confidentiality, integrity, and/or availability.

The next thing is the threat source. The threat source is the who or what that causes the threat to be exploited.

Vulnerability is that your phone is small and portable, making it easy to drop.

The impact is the extent of the damage caused by this threat being exploited.

The final point is attack/exploit. This is the actual exploitation. It takes this from a theoretical topic to real.

We encourage you to learn more about Basic Risk Terminology by watching this complete video. See you in the Next Video.

In this video we will cover:

• Quantitative Risk Assessment
  

In this video you will learn:

There are documents on how to do Risk Assessments. It includes ISO 31000 - Risk Assessment. ISO/IEC 27005 - Information Security Risk Management. There are some others highlighted in this video.

There are two risk assessment methods explained, one is Qualitative and the other is Quantitative risk assessment. In the Quantitative Method, the monetary impact of specific threat events is assessed. There are formulas to calculate the monetary impact.

If you are worried about a single loss, for e.g., you drop your phone and ran a car over it, that would mean your asset value is $1,000 and the exposure factor is 100%. The formula for Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF).

The Annual Rate of Occurrence (ARO) is how often this happens. When you combine the SLE with the ARO you now know the Annualized Loss Expectancy (ALE).

We have also highlighted some key points in this short video. We encourage you to learn more about Quantitative Risk Assessment by watching this complete video. See you in the Next Video.

In this video we will cover:

• Qualitative Risk Assessment

In this video you will learn:

Qualitative risk assessments are a little bit easier. This is when you map the likelihood of an event happening to its expected impact. When you map dozens or hundreds of events you can then prioritize the events that you will prepare for.

If we are talking about the content of the phone again and the concern of dropping it and running it over with a car. The question is how likely is that and what would its impact be. No likely and not big are the basic answers to that.

We encourage you to learn more about Qualitative Risk Assessment by watching this complete video. See you in the Next Video.

In this video we will cover:

• Risk Reduction/ Mitigation

• Risk Transference

• Risk Avoidance

• Risk Acceptance

In this video you will learn:

After getting through quantitative and qualitative risk assessments the next question to address is “What should we do about it?” There are four choices. Reduce your risk, transfer your risk, avoid your risk and accept your risk.

Let’s start with avoidance. If it’s too risky, don’t do it. When a risk is determined to be too great that activity should not be started. If the business is already engaged, then it should be stopped.

Risk reduction is applying controls to minimize the likelihood or impact. For e.g, putting on masks to reduce the chance of getting covid.

Risk transference is involving someone else in the recovery if the risk is realized. For e.g., insurance. If you get sick with covid and you are in hospital then your insurance should cover those expenses.
The last one is risk acceptance, no matter what else is done in response to risk, there is always at least a chance a risk will occur and there will be an impact felt. That chance must be accepted by the appropriate party.

We have also highlighted some key points in this short video. We encourage you to learn more about Risk Response by watching this complete video. See you in the Next Video.

In this video we will cover:

• Identity And Access Management

• Identification and Authentication

  
  

In this video you will learn:

We will cover the basics of Identity and Access Management (IAM). With that, we have Identification, Authentication, Authorization, and Accountability (IAAA).

Identification- Statement of who you say you are.
Authentication- Verification of claimed identity.
Authorization- Permissions granted or not.
Accountability- Log created so that someone can be held accountable for their actions.

In authentication, there are three factors.

Factor 1 is something you know, e.g., passwords.

Factor 2 is something we have, such as soft or hard tokens.

Factor 3 is something you are. A biometric which would be behavioral or physiological, such as a fingerprint or a vocal print.

We encourage you to learn more about Basic IAAA Introductionby watching this complete video. See you in the Next Video.

In this video we will cover:

• Authorization

• Accountability

• RBAC

In this video you will learn:

The next step is to identify what level of access we should grant. It means granting access, privileges, or not. Decisions could be based on Classification/Clearance combinations, ALCs or RBAC e.t.c.

The next important thing is to log., It is critical to decide what level of logging to do. Logs are not automatic within the cloud. Logs are a lot of work actually to make it happen and then you have to figure out what you are logging, how much you are logging, you have to figure out where to send the logs, and what kind of alerts you need.

Accountability is to create a log to be able to hold users accountable for actions within their accounts.

Role-based access control is an access control methodology that works well in large companies that can easily distinguish roles that contain many users. We have also highlighted more key points in this short video. We encourage you to learn more about Authorization and RBAC by watching this complete video. See you in the Next Video.

In this video we will cover:

• Attribute-Based Access Control

In this video you will learn:

The other way to control access is attribute-based. In the early days, we called it Network Access Control (NAC). Access is determined by many different attributes such as patch level, known or unknown device, wired or wireless network access, within or outside of the business VLANs, antimalware status, and firewall status.

We encourage you to learn more about Attribute-based access control by watching this complete video. See you in the Next Video.

In this video we will cover:

• Single Sign-On

In this video you will learn:

The next important topic to discuss is you try to add Single Sign-On (SSO) to make things easier for users. Sometimes it makes things easier for bad guys as well. The number of accounts, passwords, tokens, and other access mechanisms that we have to try and manage in business today is many per user.

Personally, you can think about your bank account, Amazon account, and many other places to log on that you have a user ID and password. It is a lot to manage.

Most people use a single account to log In, for e.g people use Facebook to log in at different places so they don't have to set up more identification and password combinations again and again.

We encourage you to learn more about Single Sign-On by watching this complete video. See you in the Next Video.

In this video we will cover:

• SAML
  
  

In this video you will learn:

SAML stands for Security Assertion Markup Language. It is old because cloud technology is evolving very quickly, but SAML is still well supported in the industry today. This is the technology we are using to be able to log on as Single Sign-on into the cloud.

SAML is XML based. Let’s take the example of Facebook, when you try to Log on to Facebook in order to access a site you are trying to get to, how is that gonna work? This is a good thing to know.

For e.g., if you are trying to access a website through Facebook and you see a Facebook button on that website, you click on that button to log in using Facebook, and what happens it will redirect you to Facebook. So your computer is connected to Facebook and what happens you log In, and what happens facebook will send a token through your computer over to that website.

The token is formatted with XML. So the website that the user wants to connect to is the service provider, and Facebook is the identity provider or Identity as a Service (IaaS) provider.

The user's computer is the relaying party. It relays the token from the IaaS provider to the service provider. The service provider is relying on the party. They rely on the IaaS provider to authenticate the user.

We encourage you to learn more about SAML by watching this complete video. See you in the Next Video.

In this video we will cover:

• OAuth

• OpenID

• WSFederation
  

In this video you will learn:

OAuth is Open Authorization, it’s all about the authorization, not authentication. OAuth is really great for mobile, and IoT. It uses JSON rather than XML.

Then next is OpenID, which is part of OpenID Connect, which is actually part of the OAuth 2.0 framework. OpenID allows you to use an existing account to sign In to multiple websites, without needing to create new passwords.

WS-Federation is an Oasis standard for authentication that results in a security token. It often is associated with Microsoft, but it is an open standard so it could be used by anybody. It does use SOAP and XML.

We encourage you to learn more about OAuth, OpenID, & WSFederation by watching this complete video. See you in the Next Video.

In this video we will cover:

• Cloud Access Security Broker

In this video you will learn:

CASB is built around trying to see what users are doing. We must know where users are sending data. It does monitor what they are looking for, and what they actually connect to. If it’s an encrypted session then it can do man-in-the-middle monitoring. It can do data loss and leak prevention and DNS queries.

We have also covered some key points from this short video. We encourage you to learn more about CASB by watching this complete video. See you in the Next Video.

In this video we will cover:

• Firewall

• Firewall Placement

In this video you will learn:

Firewalls are a traditional technology, they are not cloud-specific. Firewalls will block or allow traffic based on its configuration. By default, it should block all traffic. It is good to know how a firewall works. It analyzes incoming packets against a list of rules, which is often called a policy. It compares the incoming packet against each rule in top-down order.

The firewall should be installed between a trusted and untrusted network. That includes between a LAN and a data center.

There are visuals in the short video about the Firewall’s placement. We encourage you to learn more about Firewalls by watching this video. See you in the next video.

In this video we will cover:

• IDS

• IPS

• Intrusion Detection Logic

• Actions That Are Possible Include

• IDS/IPS Placement

In this video you will learn:

An IDS (Intrusion Detection System) is a device, or software that monitors and logs network events. An IDS is usually installed on a span port on a switch. This allows it to view traffic by receiving a copy of what was sent through the switch.

It can be installed as a network appliance or on the destination/source host device. When installed on the host it often examines the logs, not the packet.

Meanwhile, the IPS (Intrusion Prevention System) is also a device or software installed on the network or the host. It is inline, for network-based IPS. Traffic must pass through the IPS. By being inline it can actively react to malicious traffic.

The other good question to ask is how do you know that it is an intrusion? There are two basic ways, signatures and anomalies. We encourage you to learn more about IDS & IPS by watching this complete video. See you in the Next Video.

In this video we will cover:

• Segmentation

• Micro-Segmentation

In this video you will learn:

Segmentation is common with virtualization/hypervisors and virtual LANs. We have new terms with the cloud such as micro-segmentation. It creates very tiny controlled ‘networks’. It is effectively a vLAN with a firewall in front of it. Since everything in the cloud is virtual we can create small LANs and very carefully control the traffic through the firewall since we are only allowing access to a single server or even just a single application.

We encourage you to learn more about Micro-Segmentation by watching this complete video. See you in the Next Video.

In this video we will cover:

• Hyper-Segmentation

  
  

In this video you will learn:

Hyper Segmentation utilizes the segmentation capability of the hypervisor to isolate the traffic transmission from everyone else.

We encourage you to learn more about Hyper-Segmentation by watching this complete video. See you in the Next Video.

In this video we will cover:

• Blast Radius

In this video you will learn:

When you micro-segment your blast radius becomes very small. The blast radius defines how much damage an attack causes? How many machines and how much data will be impacted by a bad actor's action is what is understood once the blast radius is understood.

We encourage you to learn more about Blast Radius by watching this complete video. See you in the Next Video.

In this video we will cover:

• Activity Monitors

• Database Activity Monitor

• File Activity Monitor

In this video you will learn:

We have two types of activity monitors, one database activity monitor, and the other file activity monitor. Database activity monitors are used to monitor the user’s activity on the database. The logs of the database would show the user’s activities, but if those logs are corrupted, lost, or tampered with, that knowledge is gone.

The activity will include who logs in, who does not log in., and the actions they use on the data itself. The logs are stored outside of the database so users/hackers should not be able to access or modify them.

The file activity monitor refers to the activity that occurs on a file storage system. We encourage you to learn more about Activity Monitor by watching this complete video. See you in the Next Video.

In this video we will cover:

• Data Loss Prevention

• DLPaaS

In this video you will learn:

DLP is data loss (or leak) Prevention (or Protection). A leak is an unacceptable transmission, usually from a user. A simple example is a user putting a credit card number in an email, thinking the email is secure.

The organization needs to ensure that data is not leaking out of the organization’s network.

DLPaaS is a cloud provider that is using this technology to monitor and control the loss of information.

We encourage you to learn more about DLP by watching this complete video. See you in the Next Video.

In this video we will cover:

• Hot and Cold Aisles

In this video you will learn:

Hot aisles have the area where people walk warm. The equipment is configured to pull cold air in from the back and push warm air out the front.

Cold aisles are the opposite. The equipment pulls cold air in from the front and pushes hot air out the back.

It is common to put two rows of racks of equipment nearly back to back. A person could squeeze between these two rows, but you don't normally walk behind it. If the cold air comes in from the back of the equipment that means that a smaller area of the data center needs to be cooled since cold air falls and hot air rises.

We encourage you to learn more about Hot & Cold Air Aisles by watching this complete video. See you in the Next Video.

In this video we will cover:

• Data Center Tiers

In this video you will learn:

There are four data center tiers defined by the Uptime Institute. Tier one is the lowest and tier four is the highest.

• Tier 1 is just basic capacity like you have got a data center that has enough routers and switches to make things function.
  Tier 2 has redundant power and cooling.

• Tier 3 has concurrently maintainable equipment.

• Tier 4 adds fault tolerance to the network topology.

We encourage you to learn more about Data Center Tiers by watching this complete video. See you in the Next Video.

In this video we will cover:

• Business Continuity Management

• Issues

  
  

In this video you will learn:

Business Continuity Management is a nice summary term to be used to describe all of the plans that a business needs to build. This includes business continuity plans, disaster recovery plans, incident response plans, contingency plans, and so on. This term is from British Standard 25999.

Events are defined by ITIL as a change of state.

An incident response plan is defined by NIST SP 900-34 as “The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attack against an organization’s information systems(s).”

When an incident reoccurs and the root cause must be found we turn to problem management.

A disaster is defined by NIST as “A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities.” in NIST SP 800-82.

Business continuity plans are defined by NIST in SP 800-34 as “The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption.”

We encourage you to learn more about BCM Introduction by watching this complete video. See you in the Next Video.

In this video we will cover:

• Plans

• Policy

• Project Management Initiation

  
  

In this video you will learn:

In order to talk about the plans we need for our cloud, you should put it in the context of proper business continuity management, disaster recovery planning, etc. There needs to be a policy on the topic of Business Continuity that explains the goals and objectives for each level of issues that can disrupt a business, from an incident to full business disruption.

We then move on to Project Management Initiation (PMI), which is basically the plan to build a plan. There is not much focus on these first two steps in CCSP, but it is crucial that we do not step over them.

We encourage you to learn more about the Beginning of BCP/DRP planning by watching this complete video. See you in the Next Video.

In this video we will cover:

• Business Impact Assessment

In this video you will learn:

In Business Impact Assessment (BIA) we are looking at risk assessment. BIA is defined as risk assessments plus identifying time frames related to how long a function can be offline, or how long it will take us to recover functionality, etc. That is why it’s called business impact, not a risk assessment.

Quantitative risk assessment is the calculation of the cost of an incident to the business.
Qualitative Risk Assessment refers to the process of ranking and prioritizing Incidents so as to determine what must be protected against.

We encourage you to learn more about BIA part 1 Risk Assessments by watching this complete video. See you in the Next Video.

In this video we will cover:

• Business Impact Analysis

• MTD (Maximum Tolerable Downtime)

• RTO (Recovery Time Objective)

In this video you will learn:

What we do with business impact is we add timeframes. Maximum Tolerable Downtime (MTD) is basically the maximum amount of time a system can be offline.

The Recovery Time Objective (RTO) is the time that a corporation has to do the actual work of recovery.

The Recovery Point Objective (RPO) is a point in the past when the last known good backup was created. It is expressed as a unit of time. It is the amount of data that can be lost.

We have also highlighted some more key points in this short video.

We encourage you to learn more about BIA part 2 MTD to RTO by watching this complete video. See you in the Next Video.

In this video we will cover:

• RTO to RPO

  
  

In this video you will learn:

Recovery Time Objective (RTO) is the window of time dedicated to performing the work of recovery. If you had a server in a data center and it’s on fire, in order to recover that inside of the RTO there must be a server (or virtual one) with a patched operating system and the applications also patched.

The next step is to load the data. When in the past was the last backup performed and completed? The Recovery Point Objective (RPO) is an expression of the data lost. Everything from the last backup up to the fire (in this example) is gone. This is normally expressed as a unit of time.

We encourage you to learn more about BIA part 3 RTO to RPO by watching this complete video. See you in the Next Video.

In this video we will cover:

• BIA part 4 SDO and RSL

In this video you will learn:

The next question to address is the level of functionality that must be attained at the recovery site. I use the word functional very specifically. It is not a normal level of processing but it is enough for your business to be able to survive. So, the question is what percentage of your production power must exist at the recovery site. For example, we are talking about the CPU level, number of calls processed, number of transactions performed, etc. at the recovery site that allows for the business to return to processing, even though it is not a normal level.

We encourage you to learn more about BIA part 4 SDO and RSL by watching this complete video. See you in the Next Video.

In this video we will cover:

• Cloud Recovery Strategies

In this video you will learn:

We are going to talk about very specifically where the cloud features in recovery strategies. We are not going to talk about hot, cold, or mobile sites, but rather just the three cloud solutions. The first cloud solution is to fail from a physical data center into the cloud. The second is to fail within, from one region to another region. The third solution is to fail from one cloud provider to another different cloud provider. For example, from AWS to Azure.

We encourage you to learn more about cloud Recovery Strategies by watching this complete video. See you in the Next Video.

In this video we will cover:

• Document

In this video you will learn:

The next step is to document everything that we learned in this planning process. Document the procedural steps to create the business continuity plans and disaster recovery plans.

There are also five levels of tests. We encourage you to learn more about cloud Documents and Test the plan by watching this complete video. See you in the Next Video.

The final step is to embed the plan in the community. We are not talking about everybody knowing about our plans, the entire business doesn’t have to know about this and it’s wherever cloud is needed, wherever the change in the cloud is needed, who ever needs to know about this, needs to know about this.

In this video we will cover:

• Application Security

• Clean Code

  
  

In this video you will learn:

Primarily, it should be said that secure applications mean the code is clean and free of flaws and defects. Adding security to applications is also critical. There are two things we add for security and they are encryption and authentication.

Adding security, such as cryptography, helps to secure the data that is being processed by the application, but it does not make the application secure. Clean code requires the developers and everyone else that touches this project to be trained in how to develop clean code.

We encourage you to learn more about Introduction & What is Clean Code by watching this complete video. See you in the Next Video.

In this video we will cover:

• Software Development Lifecycle

In this video you will learn:

The software development life cycle is the logic of project management, but for software development. The software development life cycle is define, design, develop and test, at least that is what is in the CSA Guidance 4.0 document.

Another SDLC is from a project perspective and is more comprehensive is

• Project management and initiation

• Functional design

• Detailed design

• Develop and document

• Test and update and push it to production

• End of Life

If you have a different lifecycle that you prefer, that is fine. The logical flow is always the same. Plan before you build, then once it is built it can be tested. Once ready it can be pushed out to the production environment.

(ISC)2 does not have a preferred lifecycle. The CSA has ½ of a lifecycle in their document. What is important is that we need to add security at every step of the lifecycle that we choose to follow at the office.

We encourage you to learn more about Software Development Life Cycle (SDLC)by watching this complete video. See you in the Next Video

In this video we will cover:

• Supply Chain Management

In this video you will learn:

We have supply chain concerns over where some of our code comes from. Statistics show that mode applications have a significant amount of the code is being pulled from sources such as GitHub. The problem you face in the supply chain is where does this code come from? Who created it? Is it being maintained? Is it being tested? And so on.

We encourage you to learn more about Supply Chain Management by watching this complete video. See you in the Next Video.

In this video we will cover:

• Software Development Methodologies

In this video you will learn:

Once we have our software lIfecycle then the next question is how do we move through that lifecycle? The lifecycle does not need to be followed in a linear format (waterfall). There are many other approaches that have been developed over the years. The ones that are showing up the most in business right now seem to be: Agile, Scrum, DevOPS, and DevSecOps.

We have covered these approaches in this short video. We encourage you to learn more about Software Development Methodologies by watching this complete video. See you in the Next Video.

In this video we will cover:

• DEVOPS PRACTICES

In this video you will learn:

We now define infrastructure, applistructure, metastructure, and infostructure. Infrastructure is the routers, switches, the servers except when we are in the cloud they are not real.

In Infrastructure as a Code (IaaC) we are dealing with our Infrastructure is now just code. It is virtual. We do not have to buy a physical router if we are building a virtual Data Center (DC) in the cloud. In an Infrastructure as a Service (IaaS). They are virtual and when they are virtual, you could say they are just code.

Do you want to learn more about DEVOPS PRACTICES? We have covered key points in this short video. We encourage you to learn more about DevOps Practices by watching this complete video. See you in the Next Video.

In this short video, we have some thoughts on remembering numbers for the test. We encourage everyone to watch this video.

See you in the next video.

In this video we will cover:

• Continuous Integration and Continuous Delivery

In this video you will learn:

If we look at Microsoft 365 my question is when was the last time PowerPoint/excel/word was patched? With SaaS it is so much easier for the software developer to keep their products up to date. As opposed to the process that any application should go through when patches need to be applied when they are within the corporation's control.

What we really need is DevSecOps. There are so many pictures for DevSecOps but the one in the video is super cool because you got the basic DevOps in the middle and then you have security wrapped around the whole thing so that security is part of both the development and the operations. Three different teams working together for the business.

We encourage you to watch the whole video to get answers.

In this video we will cover:

• Software Testing

In this video you will learn:

Software must be tested. Software is the attack point. It is due to software flaws that attackers cause as much damage as they do. It is a constant battle to keep ahead of the bad actor. So knowing different types of tests would be a good starting point.

First we have two terms: verification and validation.
Verification: The first question is does the software work? The functions that exist within an application need to be verified for functionality.
Validation: The second question is did the developers build the software as it was designed? All features and functions need to be verified against the original build plan.

We have covered key points in this short video. We encourage you to learn more about Software Verification & Validation by watching this complete video. See you in the Next Video.

In this video we will cover:

• Static Application Security Testing (SAST)

• Dynamic Application Security Testing (DAST)

• Interactive Application Security Testing (IAST)

• Fuzz Testing

In this video you will learn:

First SAST, the application is static or stopped. This means the only thing you have is code, you can’t look at the running application. The only thing you can look at is the code. So this is good from early on in the development process. This can be done from when the coding begins.

The next is DAST, the application is dynamic or in a running condition. In DAST it is critical to simulate malicious attacks. So, DAST analyzes a running application by exercising the application's functionality and detecting vulnerabilities based on application behavior and response.

IAST is testing that involves analyzing the behavior of software while being able to see the lines of code as they are being accessed. In a way it is a combination of DAST and SAST.

Fuzz testing or fuzzing is basically throwing as much junk at the interface as you can at to discover where the application breaks.

We have covered key points in this short video. We encourage you to learn more about Software Testing by watching this complete video. See you in the Next Video.

In this video we will cover:

• Operations

• 
  

In this video you will learn:

This domain is mainly from the cloud provider’s perspective. There is some from the customer perspective as well, but mainly this domain is about the cloud provider's side. If you are not familiar with working with big data centers or carriers, watch some videos about data centers.

We encourage you to learn more about Introduction to Operations by watching this complete video. See you in the Next Video.

In this video we will cover:

• Patch Management

In this video you will learn:

There is also the patching of the equipment. The operating systems that are on the servers, the switches, and the routers all have to be patched. They have to be taken care of.

You need to back up the router configuration, switch configuration, and server configuration, and If you back up something you have to test the backup.

We encourage you to learn more about Patch Management by watching this complete video. See you in the Next Video.

In this video we will cover:

• Firewall/NSG

In this video you will learn:

There are two basic types of firewalls. They are static packet filtering and dynamic packet filters. Static is the oldest and dynamic is the newer.

Static packet filters basically look at the individual packet, a single packet comes in and the firewall analyzes that packet. This does not catch bad packets that spread an attack over many packets.

For example, one individual packet comes through and the firewall will take a look at it based on what type of firewall it is. If it’s good, the firewall will let the packet move to its destination and then the other packet comes along and the firewall follows the same method.

Bad actors learned that we did this so they split the attacks into multiple packets. So we updated to dynamic packet filtering also known as stateful inspection.

This takes the last packet(s) into consideration before forwarding a packet on.

We encourage you to learn more about Firewalls/NSG by watching this complete video. See you in the Next Video.

In this video we will cover:

• Legal and Compliance (13% of the Test).

• Legal? What If you are not a Lawyer?

• What do you need to know about the exam?

• ENISA Cloud Computing Key Legal Issues.

• Contracts

• CSP and MSP

• Contract Parts

In this video you will learn:

What should you know about information security laws for the test and the fundamental legal issues with the cloud? You are not expected to be a lawyer. Your responsibility is to talk to the lawyers to ensure you are protecting data appropriately.

We have significant legal problems with clouds, including:

• data protection,

• availability

• Integrity,

• confidentiality,

• intellectual-property control,

• professional negligence,

• outsourcing concerns, and

• changes in IT and IS control.

These are a few of the topics of concern we have with moving to the cloud.

So it is critical that you read and possibly negotiate your contract with the cloud provider.

We have two different terms for cloud providers: Cloud Service Providers and Managed Service Providers. It is good to know the difference.

In contracts, there are many parts that include:

• MSA- Master Services Agreement,

• SLA- Service Legal Agreement, and

• PLA- Privacy Legal Agreement.

I recommend that you download and look through all of the additional content I have added in the format of files. In particular the CSA Guidance 4.0. This is a CSA exam. They partnered with ISC2 to provide a solid testing environment.

We encourage you to learn more about Legal Intro by watching this complete video. See you in the Next Video.

In this video we will cover:

• Privacy laws and regulations.

• Standards

  
  

In this video you will learn:

Privacy refers to the protection of personal data, a.k.a. personally identifiable information (PII). Protection of personal data is critical these days. PII includes:

• Your name,

• Phone Number,

• Biometric Information,

• Geolocation,

• Educational Information,

• professional Information etc.

ISO 27018 is for a public cloud provider which is a code of practice for the protection of personally identifiable information in public clouds acting as PII processors. Per the EU GDPR, processing data includes the storage of data therefore PII sitting within a cloud makes the cloud provider your PII processor.

We encourage you to learn more about Privacy laws and regulations Intro by watching this complete video. See you in the Next Video.

In this video we will cover:

• EU Directive 95/46 EC, EU Directive 2002/58/EC, and EU GDPR.

• GDPR Privacy Principles.

In this video you will learn:

All about GDPR and its requirements to protect personal data. All of the essential terms such as Data Controller and Data processor are covered in this section.

In this video we will cover:

• Other Privacy Laws From Around The World

• California Consumer Privacy Act (CCPA)

In this video you will learn:

There are a lot of privacy laws that (ISC)² thinks it would be good for you to know. It includes:

• Privacy Act Of 1988 - Australia,

• PIPEDA - Personal Information Protection and Electronic Data Act - Canada,

• Act on the Protection Of Personal Information - 2017 - Japan,

• Personal Data Protection Act No 25,326 - Argentina,

• Protection of Privacy Law 5741-1981 and

• Protection of privacy regulations (Data Security), 57777 - 2017 - Israel

There is also the APEC - Asia Pacific Economic Cooperation Privacy Framework. APEC has 21 member countries and there is a promotion of consistency of privacy protection.

The new California law, CCPA, has many aspects that seem very similar to EU GDPR. It is different though. Watch the language usage. CCPA includes:

• The right to know whether and what personal information has been collected,

• An individual can request businesses to delete their personal data,

• You can download the data to take elsewhere,

• You must opt out of the sale of your personal data,

• With the exception of minors who must opt into information selling, and

• You can exercise your right without being discriminated against.

Additional info you may find interesting to explore these ideas further:

Interesting site to browse.

https://www.dlapiperdataprotection.com/index.html

Here is another site for US specific laws by state.

https://www.itgovernanceusa.com/data-breach-notification-laws

We encourage you to learn more about Other Privacy Laws by watching this complete video. See you in the Next Video.

In this video we will cover:

• Privacy Management Framework (PMF)

• Privacy Maturity Model

In this video you will learn:

There are privacy management Frameworks that include Generally Accepted Privacy Principles (GAPP). There are nine basic components in Privacy Management Framework e.g., Management, Agreement, Collection, and Disposal.

There are different maturity models mentioned within CCSP and the AICPA/CICA Privacy Maturity Model (PMM) is one of them. AICPA is the American Institute for Certified Public Accountants and the CICA is the Canadian Institute of Chartered Accountants.

The AICPA/CICA PMM is based on Generally Accepted Privacy Principles GAPP and Carnegie Mellon’s Capability Maturity Model Integration CMMI.

The Privacy maturity Model has five maturity levels which are Ad Hoc, Repeatable, Defined, Managed, and Optimized. It is recommended that you are familiar with these levels.

We encourage you to learn more about Privacy Management Framework and Maturity Model by watching this complete video. See you in the Next Video.

In this video we will cover:

• FEDRAMP

• Stored Communications Act (SCA)

• CLOUD Act

  
  

In this video you will learn:

FedRAMP is also good to know for this test. FedRAMP stands for Federal US government Risk and Authorization Management Program. This is a standardized approach to cloud risk management and security for US Government agencies to follow.

The US Stored Communications Act is for Service Providers. It limits and controls access to stored wire and electronic communications and transactional records. These records need to be retained long enough for law enforcement to do enough investigation into crimes to realize that they need to obtain records from the providers regarding cell phone locations, text messages, etc.

The purpose of the US CLOUD Act is to extend the US Government and law enforcement’s access to data stored across country borders. It is an extension of the Stored Communications Act (SCA).

We encourage you to learn more about FedRAMP and CLOUD Act by watching this complete video. See you in the Next Video.

In this video we will cover:

• A Contract Vs Law

  
  

In this video you will learn:

PCI-DSS is not a law or regulation, basically, it’s a contract. It establishes a requirement to meet the Data Security Standards developed by the Payments Cards Industry. PCI-DSS is a contractual agreement with the payment card company to be able to process card charges and it falls under civil or tort law.

We encourage you to learn more about Intro to PCI by watching this complete video. See you in the Next Video.

In this video we will cover:

• PCI Requirements 1-3

  
  

In this video you will learn:

There are 12 requirements for PCI-DSS. It is highly recommended that you be familiar with the 12 requirements. You should know that building and maintaining a firewall is a part of PCI-DSS requirements, it is not necessary to remember that it is number one on the list though. The second one is: never use vendor-supplied default passwords or configurations. The third is you must protect stored cardholder data.

We encourage you to learn more about PCI Requirements 1-3 by watching this complete video. See you in the Next Video.

In this video we will cover:

• PCI Requirements 4-6

  
  

In this video you will learn:

The fourth is that you must encrypt cardholder data when it is transmitted over a public network. The fifth is that you should use regularly updated antivirus protection. The sixth requirement is to develop and maintain secure systems and applications.

We encourage you to learn more about PCI Requirements 4-6 by watching this complete video. See you in the Next Video.

In this video we will cover:

• PCI Requirements 7-12

  
  

In this video you will learn:

Seven - The next requirement is to restrict access to cardholder data on a need-to-know basis.

Eight - You should have a unique ID for all that have access to the cardholder data.

Nine - It is necessary to physically restrict access to cardholder data, which means the server that maintains the cardholder Information should be protected.

Ten - Track and monitor all network and cardholder data access.

Eleven - Also, you should be testing your security systems regularly.

Twelve - The last requirement is to maintain an information security policy.

We encourage you to learn more about PCI Requirements 7-12 by watching this complete video. See you in the Next Video.

In this video we will cover:

• ITAR & EAR

  
  

In this video you will learn:

EAR (Export Administration Regulations) is from the Department of Commerce and ITAR (International Traffic In Arms Regulations) is from the Department of State. Export and Import of most commercial items, especially dual-use goods is a concern in the EAR. Cryptography is considered a dual-use good because it is equally useful for both good and evil. While the export of defense-related articles and services falls under the ITAR. This would include things like robotics.

We encourage you to learn more about ITAR & EAR by watching this complete video. See you in the Next Video.

In this video we will cover:

• ICS

• NERC CIP

  
  

In this video you will learn:

Every country has laws regarding its national infrastructure. The protection of the national power grid is paramount. Connecting the systems that control the Programmable Logic Controllers (PLCs) to the internet in any manner requires protection.

NERC & CIP (North American Electric Reliability Corporation & Critical Infrastructure Protection) is a set of industry best practices. Energy and utility companies are heavily regulated. Bulk electric systems (BES) must be protected from cyber-attacks.

We encourage you to learn more about ICS by watching this complete video. See you in the Next Video.

In this video we will cover:

• Audit Methodologies

• Can We Audit A Public Cloud?

• SOC 1

• SOC 2

• Type 1 and 2

• SOC 3

  
  

In this video you will learn:

When you have to be in Compliance with something whether it's FEDRAMP, ISO documents, PCI-DSS, GDPR, or anything else, we need to do audits. When we think of Compliance we need to consider Laws, Regulations, Contracts, and Policies.

When you do an Audit it’s a very controlled process. There are audit standards which include SAS 70, SSAE 16/18, and ISAE 3400/3402.

At the end of the Audits, you always get reports and your auditor will tell you about the findings. A finding, which is something noted to be out of compliance, needs to be looked into. The reports are called SOC 1, SOC 2, and SOC 3.

AICPA is the source for SOC 1, SOC 2, and SOC 3. SOC 1 is relevant to the user’s financial statements.

SOC 2 is intended to meet the needs of a broad range of users that need detailed information and assurance about the controls of a service organization relevant to five trust principles: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

SOC 3 is relevant to Security, Availability, Processing, Integrity, Confidentiality, or Privacy without the need for details. It is effectively a SOC 2 reduced to a simple confirmation from the auditor that they were there. It provides a seal of approval for the cloud provider with very little information about the environment provided.

We encourage you to learn more about Audits and SOC reports by watching this complete video. See you in the Next Video.

In this video we will cover:

• The GAP

In this video you will learn:

The gap in the gap analysis is between where you are and where you want to be. Where you want to be could be in Compliance with a Law, contract, or Policy.

We encourage you to learn more about Gap analysis by watching this complete video. See you in the Next Video.

In this video we will cover:

• CSA STAR

• CSA STAR Level 1

• CSA STAR Level 2

• CAIQ

• CCM

In this video you will learn:

CSA stands for Cloud Security Alliance while STAR stands for Security, Trust, Assurance, and Risk Program. As a customer, if you discover a new cloud provider a reasonable question to ask is: can we trust this cloud provider? The STAR registry is a central point to reference that has a lot of information about providers who have decided to register.

Within STAR there are three levels. Level one shows that the provider did a self-assessment. Level two means a 3rd party performed an audit of the cloud provider against ISO 27001, the CCM, or GDPR. Level three means that ongoing monitoring is being done.

CAIQ stands for Consensus Assessments Initiative Questionnaire. A standard template for Cloud Providers to document their security and Compliance Controls.

The CCM maps cyber security controls to laws, regulations, and standards. If there is a need to comply with multiple documents this matrix could make the work much easier.

We encourage you to learn more about CSA STAR and CCM by watching this complete video. See you in the Next Video.

In this video we will cover:

• Risk Assessments / Analysis

In this video you will learn:

There are so many threats that could be realized. Which threats are ones we really need to prepare for? Which threat is the biggest? What would be the most costly? What is the most likely? To uncover those answers we do risk assessments and work toward the best solutions for our business.

Risk appetite is the first question to address. What is the CEO willing to consume in the pursuit of their business? Are they risk-aggressive or risk-averse?

The risk profile is the risk organization can tolerate before it would cease to exist.

We have also highlighted some other key points in this short video. We encourage you to learn more about Risk appetite and risk profile by watching this complete video. See you in the Next Video.

In this video we will cover:

• Risk Tolerance

In this video you will learn:

There is a tolerance around risk appetite. Risk tolerance can be used as an indicator of the status of risk. There is a level of tolerance that exists above and below what the CEO believes their risk appetite to be. There are times when they will be a little more risk-aggressive and times when they are more risk-averse. That variation gives you risk tolerance.

We have also highlighted some other key points in this short video. We encourage you to learn more about Risk Tolerance by watching this complete video. See you in the Next Video.

In this video we will cover:

• Quantitative Risk Assessment
  

In this video you will learn:

There are documents on how to do Risk Assessments. It includes ISO 31000 - Risk Assessment. ISO/IEC 27005 - Information Security Risk Management. There are some others highlighted in this video.

There are two risk assessment methods explained, one is Qualitative and the other is Quantitative risk assessment. In the Quantitative Method, the monetary impact of specific threat events is assessed. There are formulas to calculate the monetary impact.

If you are worried about a single loss, for e.g., you drop your phone and ran a car over it, that would mean your asset value is $1,000 and the exposure factor is 100%. The formula for Single Loss Expectancy (SLE) = Asset Value (AV) * Exposure Factor (EF).

The Annual Rate of Occurrence (ARO) is how often this happens. When you combine the SLE with the ARO you now know the Annualized Loss Expectancy (ALE).

We have also highlighted some key points in this short video. We encourage you to learn more about Quantitative Risk Assessment by watching this complete video. See you in the Next Video.

In this video we will cover:

• Basics To Risk

In this video you will learn:

You should definitely be aware of the fundamental terms of risk management.

The first term is an asset. For example my iPhone.

The second thing is a threat. Some kind of harm can happen to the asset. It will impact confidentiality, integrity, and/or availability.

The next thing is the threat source. The threat source is the who or what that causes the threat to be exploited.

The vulnerability is that your phone is small and portable, making it easy to drop.

The impact is the extent of the damage caused by this threat being exploited.

The final point is attack/exploit. This is the actual exploitation. It takes this from a theoretical topic to real.

We encourage you to learn more about Basic Risk Terminology by watching this complete video. See you in the Next Video.

In this video we will cover:

• Qualitative Risk Assessment

In this video you will learn:

Qualitative risk assessments are a little bit easier. This is when you map the likelihood of an event happening to its expected impact. When you map dozens or hundreds of events you can then prioritize the events that you will prepare for.

If we are talking about the content of the phone again and the concern of dropping it and running it over with a car. The question is how likely is that and what would its impact be. No likely and not big are the basic answers to that.

We encourage you to learn more about Qualitative Risk Assessment by watching this complete video. See you in the Next Video.

In this video we will cover:

• Risk Reduction/ Mitigation

• Risk Transference

• Risk Avoidance

• Risk Acceptance

In this video you will learn:

After getting through quantitative and qualitative risk assessments the next question to address is “What should we do about it?” There are four choices. Reduce your risk, transfer your risk, avoid your risk and accept your risk.

Let’s start with avoidance. If it’s too risky, don’t do it. When a risk is determined to be too great that activity should not be started. If the business is already engaged, then it should be stopped.

Risk reduction is applying controls to minimize the likelihood or impact. For e.g, putting on masks to reduce the chance of getting covid.

Risk transference is involving someone else in the recovery if the risk is realized. For e.g., insurance. If you get sick with covid and you are in hospital then your insurance should cover those expenses.
The last one is risk acceptance, no matter what else is done in response to risk, there is always at least a chance a risk will occur and there will be an impact felt. That chance must be accepted by the appropriate party.

We have also highlighted some key points in this short video. We encourage you to learn more about Risk Response by watching this complete video. See you in the Next Video.

In this video we will cover:

• Forensics

• Three Types Of Investigations

• Standards

In this video you will learn:

One of the most common questions I hear is, can you do forensics in the cloud? The answer is yes, but there are changes from traditional data centers. There are three types of Investigations that you can do, Operational, Civil, and Criminal Investigation.

There are standards to keep in mind while doing Forensics which include, ISO/IEC 27037, ISO/IEC 27041, ISO/IEC 27042, ISO/IEC 27043, and ISO/IEC 27050.

We encourage you to learn more about Forensics Intro by watching this complete video. See you in the Next Video.

In this video we will cover:

• Investigative Rules / Requirements

• Forensics In the Cloud

In this video you will learn:

You need to make sure that you follow all rules and regulations to search, seizure, collection of evidence, and chain of custody. The search and seizure process must be followed and also a chain of custody must be maintained.

You can do forensics in the cloud but it’s different from the physical world because in the data center, you have the physical computer to analyze. You can look at the hard drive, memory, and cache. When you put data in the cloud it’s very difficult to find the data since it is dispersed across many different servers. Also, the physical memory of a server is shared by all of the running virtual machines.

We encourage you to learn more about Basic Cloud forensics by watching this complete video. See you in the Next Video.

In this video we will cover:

• E-Discovery

  
  

In this video you will learn:

Electronic discovery (E-Discovery) refers to the discovery in which information is electronically stored. In forensics, the process of collecting information is Identification, Preservation, Collection, Processing, Review, production, and Presentation.

After Identification then you need to preserve the data in a legal hold. The next step is collection like the transfer of data from a company to legal counsel. The next step is processing to see actually into the data like finding if there is something wrong and it is preparation for loading into a document review platform.

Then the documents are reviewed for responsiveness to discovery requests. In production, the documents are turned over to opposing counsel. The final step is a presentation in which documents are displayed before the audience.

We encourage you to learn more about E-Discovery by watching this complete video. See you in the Next Video.

In this video we will cover:

• Basic Forensic Rules

In this video you will learn:

Forensics could be necessary and critical for some businesses. Long before we get there we should know the basic forensic rules to ensure evidence will be collected properly.

You should never do forensics unless you are trained. Follow all the rules like the collection of data and chain of custody. Use only approved tools that are acceptable in your court system.

Collect evidence in order of volatility and don’t exceed your knowledge. We encourage you to learn more about Basic Forensic Rules by watching this complete video. See you in the Next Video.